Add FMI (Federated Managed Identity) Design Specification for MSAL Go #583
Conversation
Added FMI spec
docs/fmi-msal-go-spec.md
Outdated
| │ Public API Layer │ | ||
| │ │ | ||
| │ confidential.New() + WithFMIPath() │ | ||
| │ .AcquireTokenForClient(WithAttributeTokens()) │ |
There was a problem hiding this comment.
We do not plan to enable attribute tokens at this time. Only attributes.
There was a problem hiding this comment.
And it should be a method similar to WithFMIPath(), at the same level.
docs/fmi-msal-go-spec.md
Outdated
| └─────────────────┘ | ||
|
|
||
| FMI Flows: | ||
| Flow 1: Certificate → FMI Credential |
There was a problem hiding this comment.
It's not really a certificate exchange for an FMI credential. It's the RMA, who has a credential registered in the dir (e.g. a cert), is able to issue credentials for it's children, who are not present in the directory.
Flow 1 is "RMA gets an FMI cred, for a leaf entity or for a sub-RMA"
Flow 2 is "RMA gets an FMI token for a leaf entity"
Flow 3 is "sub-RMA, who has an FMI credential, gets an FMI credential for a child sub-RMA"
Flow 5 is correct, and the most important one.
docs/fmi-msal-go-spec.md
Outdated
| } | ||
|
|
||
| // NEW: Add FMI path hash to key for FMI tokens | ||
| if a.FMIPathHash != "" { |
There was a problem hiding this comment.
I would recommend a different design - the access token has a set of primary key components (ClietnID, Scopes etc). You now want to add a set of additional key components, which is a dictionary of { name, val } pairs.
This way, the caching logic remains decoupled from other parts of MSAL. The other parts of MSAL just have to say "fmi_path=xyz is now part of the cache key".
There was a problem hiding this comment.
Okay, I understand. Let me update that with the new design
There was a problem hiding this comment.
And btw, attributes should be part of the cache key.
docs/fmi-msal-go-spec.md
Outdated
| } | ||
|
|
||
| // Utility function to generate FMI path hash (SHA256, base64url encoded) | ||
| func generateFMIPathHash(fmiPath string) string { |
There was a problem hiding this comment.
The MSAL.NET spec states that you should also hash the key, not just the value.
e.g. new key components: ,
- Order the dictionary - "attributes=bla bla" "fmi_path=xyz"
- Create a string - attributesbla blafmi_pathxyz
- hash this string
There was a problem hiding this comment.
hashedString = Hash(attributesbla blafmi_pathxyz)
So basically the key will be
key = "597f86cd-13f3-44c0-bece-a1e77ba43228.f645ad92-e38d-4d1a-b510-d1b09a74a8ca-login.microsoftonline.com-token-4b0db8c2-9f26-4417-8bde-3f0e3656f8e0-{hashedString}"
Update the feedback
|
Summary
This PR introduces a comprehensive design specification for implementing Federated Managed Identity (FMI) support in MSAL Go, addressing directory-less identity scenarios for high-cardinality use cases.
Key Features Designed
AccessTokenstruct andKey()method to support FMI path hashingImplementation Approach
Files Added
fmi-msal-go-spec.md- Complete design specification with architecture, API design, and implementation phasesDocumentation: Full spec included in this PR
Breaking Changes: None - additive functionality only