Managed Identity in MSALJS (#6880)

Co-authored-by: Robbie Ginsburg <[email protected]>

Author: Robbie-Microsoft

change/@azure-msal-common-70f32e81-8837-41d6-b652-33ef7f494eba.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Implemented Managed Identity in MSAL-Node",
+  "packageName": "@azure/msal-common",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

change/@azure-msal-node-158b3399-c154-4497-b6bf-03e3db70c413.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Implemented Managed Identity in MSAL-Node",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

lib/msal-common/src/authority/Authority.ts

@@ -87,6 +87,8 @@ export class Authority {
     protected performanceClient: IPerformanceClient | undefined;
     // Correlation Id
     protected correlationId: string;
+    // Indicates if the authority is fake, for the purpose of a Managed Identity Application
+    private managedIdentity: boolean;
     // Reserved tenant domain names that will not be replaced with tenant id
     private static reservedTenantDomains: Set<string> = new Set([
         "{tenant}",
@@ -103,7 +105,8 @@ export class Authority {
         authorityOptions: AuthorityOptions,
         logger: Logger,
         correlationId: string,
-        performanceClient?: IPerformanceClient
+        performanceClient?: IPerformanceClient,
+        managedIdentity?: boolean
     ) {
         this.canonicalAuthority = authority;
         this._canonicalAuthority.validateAsUri();
@@ -118,6 +121,7 @@ export class Authority {
         this.logger = logger;
         this.performanceClient = performanceClient;
         this.correlationId = correlationId;
+        this.managedIdentity = managedIdentity || false;
         this.regionDiscovery = new RegionDiscovery(
             networkInterface,
             this.logger,
@@ -383,7 +387,7 @@ export class Authority {
     }
 
     /**
-     * Boolean that returns whethr or not tenant discovery has been completed.
+     * Boolean that returns whether or not tenant discovery has been completed.
      */
     discoveryComplete(): boolean {
         return !!this.metadata;
@@ -1165,7 +1169,9 @@ export class Authority {
      * helper function to generate environment from authority object
      */
     getPreferredCache(): string {
-        if (this.discoveryComplete()) {
+        if (this.managedIdentity) {
+            return Constants.DEFAULT_AUTHORITY_HOST;
+        } else if (this.discoveryComplete()) {
             return this.metadata.preferred_cache;
         } else {
             throw createClientAuthError(

lib/msal-common/src/config/ClientConfiguration.ts

@@ -6,7 +6,10 @@
 import { INetworkModule } from "../network/INetworkModule";
 import { DEFAULT_CRYPTO_IMPLEMENTATION, ICrypto } from "../crypto/ICrypto";
 import { ILoggerCallback, Logger, LogLevel } from "../logger/Logger";
-import { Constants } from "../utils/Constants";
+import {
+    Constants,
+    DEFAULT_TOKEN_RENEWAL_OFFSET_SEC,
+} from "../utils/Constants";
 import { version } from "../packageMetadata";
 import { Authority } from "../authority/Authority";
 import { AzureCloudInstance } from "../authority/AuthorityOptions";
@@ -21,9 +24,6 @@ import {
     createClientAuthError,
 } from "../error/ClientAuthError";
 
-// Token renewal offset default in seconds
-const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
-
 /**
  * Use the configuration object to configure MSAL Modules and initialize the base interfaces for MSAL.
  *

lib/msal-common/src/index.ts

@@ -204,6 +204,7 @@ export {
     GrantType,
     AADAuthorityConstants,
     HttpStatus,
+    DEFAULT_TOKEN_RENEWAL_OFFSET_SEC,
     JsonWebTokenTypes,
 } from "./utils/Constants";
 export * as AADServerParamKeys from "./constants/AADServerParamKeys";

lib/msal-common/src/utils/Constants.ts

@@ -65,11 +65,20 @@ export const Constants = {
 
 export const HttpStatus = {
     SUCCESS_RANGE_START: 200,
+    SUCCESS: 200,
     SUCCESS_RANGE_END: 299,
     REDIRECT: 302,
     CLIENT_ERROR_RANGE_START: 400,
+    BAD_REQUEST: 400,
+    UNAUTHORIZED: 401,
+    NOT_FOUND: 404,
+    REQUEST_TIMEOUT: 408,
+    TOO_MANY_REQUESTS: 429,
     CLIENT_ERROR_RANGE_END: 499,
     SERVER_ERROR_RANGE_START: 500,
+    INTERNAL_SERVER_ERROR: 500,
+    SERVICE_UNAVAILABLE: 503,
+    GATEWAY_TIMEOUT: 504,
     SERVER_ERROR_RANGE_END: 599,
 } as const;
 export type HttpStatus = (typeof HttpStatus)[keyof typeof HttpStatus];
@@ -370,3 +379,6 @@ export type JsonWebTokenTypes =
     (typeof JsonWebTokenTypes)[keyof typeof JsonWebTokenTypes];
 
 export const ONE_DAY_IN_MS = 86400000;
+
+// Token renewal offset default in seconds
+export const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;

lib/msal-node/docs/configuration.md

@@ -94,12 +94,13 @@ const msalInstance = new PublicClientApplication(msalConfig);
 
 ### System Config Options
 
-| Option               | Description                                           | Format                                                                                                                     | Default Value                                                                                                                        |
-| -------------------- | ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
-| `loggerOptions`      | Config object for logger.                             | See [below](#logger-config-options).                                                                                       | See [below](#logger-config-options).                                                                                                 |
-| `NetworkClient`      | Custom HTTP implementation                            | INetworkModule                                                                                                             | [HttpClient.ts](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/src/network/HttpClient.ts) |
-| `proxyUrl`           | The URL of the proxy the app is running behind        | string                                                                                                                     | Empty string `""`                                                                                                                    |
-| `customAgentOptions` | Set of configurable options to set on a http(s) agent | Object - [NodeJS documentation on alloweable options](https://nodejs.org/docs/latest-v16.x/api/http.html#new-agentoptions) | Empty Object `{}`                                                                                                                    |
+| Option                   | Description                                                                                                                                                                      | Format                                                                                                                     | Default Value                                                                                                                        |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
+| `loggerOptions`          | Config object for logger.                                                                                                                                                        | See [below](#logger-config-options).                                                                                       | See [below](#logger-config-options).                                                                                                 |
+| `NetworkClient`          | Custom HTTP implementation                                                                                                                                                       | INetworkModule                                                                                                             | [HttpClient.ts](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/src/network/HttpClient.ts) |
+| `proxyUrl`               | The URL of the proxy the app is running behind                                                                                                                                   | string                                                                                                                     | Empty string `""`                                                                                                                    |
+| `customAgentOptions`     | Set of configurable options to set on a http(s) agent                                                                                                                            | Object - [NodeJS documentation on alloweable options](https://nodejs.org/docs/latest-v16.x/api/http.html#new-agentoptions) | Empty Object `{}`                                                                                                                    |
+| `disableInternalRetries` | A flag that disables MSALJS's built-in retry policies, allowing the app developer to specify their own retry policy. Currently, only Managed Identity flows have a retry policy. | boolean                                                                                                                    | boolean `false`                                                                                                                      |
 
 #### Logger Config Options
 

lib/msal-node/docs/managed-identity.md

@@ -0,0 +1,118 @@
+# Managed Identity with MSALJS
+
+### Note
+
+> This feature is in preview and feedback is welcome. See the [preview package](https://www.npmjs.com/package/@azure/msal-node/v/2.6.5-alpha.0) that has been upload to npm.
+
+A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. [Managed identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) in Azure eliminate the need for developers to handle these credentials manually. MSALJS's msal-node library supports acquiring tokens through the managed identity service when used with applications running inside Azure infrastructure, such as:
+
+-   [Azure App Service](https://azure.microsoft.com/products/app-service/) (API version `2019-08-01` and above)
+-   [Azure VMs](https://azure.microsoft.com/free/virtual-machines/)
+-   [Azure Arc](https://learn.microsoft.com/en-us/azure/azure-arc/overview)
+-   [Azure Cloud Shell](https://learn.microsoft.com/en-us/azure/cloud-shell/overview)
+-   [Azure Service Fabric](https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-overview)
+
+For a complete list, refer to [Azure services that can use managed identities to access other services](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status).
+
+> Browser-based MSALJS libraries do not offer confidential flows because there is no confidentiality between the browser and the token issuer. Additionally, they do not offer managed identity because the browser is not hosted on Azure.
+
+## Which SDK to use - Azure SDK or MSAL?
+
+MSAL libraries provide lower level APIs that are closer to the OAuth2 and OIDC protocols.
+
+Both MSALJS and [Azure SDK](https://learn.microsoft.com/en-us/javascript/api/overview/azure/identity-readme?view=azure-dotnet&preserve-view=true) allow tokens to be acquired via managed identity. Internally, Azure SDK uses MSALJS, and it provides a higher-level API via its `DefaultAzureCredential` and `ManagedIdentityCredential` abstractions.
+
+If your application already uses one of the SDKs, continue using the same SDK. Use Azure SDK, if you are writing a new application and plan to call other Azure resources, as this SDK provides a better developer experience by allowing the app to run on private developer machines where managed identity doesn't exist. Consider using MSAL if you need to call other downstream web APIs like Microsoft Graph or your own web API.
+
+## Quick start
+
+To quickly get started and see Azure Managed Identity in action, you can use one of [the samples](../../../samples/msal-node-samples/Managed-Identity) the team has built for this purpose.
+
+## How to use managed identities
+
+There are two types of managed identities available to developers - **system-assigned** and **user-assigned**. You can learn more about the differences in the [Managed identity types](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview#managed-identity-types) article. MSALJS supports acquiring tokens with both. [MSALJS logging](https://learn.microsoft.com/en-us/entra/identity-platform/msal-logging-js) allows to keep track of requests and related metadata.
+
+Prior to using managed identities from MSALJS, developers must enable them for the resources they want to use through Azure CLI or the Azure Portal.
+
+## Examples
+
+For both user-assigned and system-assigned identities, developers can use the [ManagedIdentityApplication](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/msi_feature_branch/lib/msal-node/src/client/ManagedIdentityApplication.ts) class.
+
+### System-assigned managed identities
+
+For system-assigned managed identities, the developer does not need to pass any additional information when creating an instance of ManagedIdentityApplication, as it will automatically infer the relevant metadata about the assigned identity.
+
+[acquireToken](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/msi_feature_branch/lib/msal-node/src/client/ManagedIdentityApplication.ts#L122) is called with the resource to acquire a token for, such as `https://management.azure.com`.
+
+```typescript
+// optional
+const config: ManagedIdentityConfiguration = {
+    system: {
+        loggerOptions: {
+            logLevel: LogLevel.Verbose,
+        } as LoggerOptions,
+    } as NodeSystemOptions,
+};
+
+const systemAssignedManagedIdentityApplication: ManagedIdentityApplication =
+    new ManagedIdentityApplication(config);
+
+const managedIdentityRequestParams: ManagedIdentityRequestParams = {
+    resource: "https://management.azure.com",
+};
+
+const response: AuthenticationResult =
+    await systemAssignedManagedIdentityApplication.acquireToken(
+        managedIdentityRequestParams
+    );
+console.log(response);
+```
+
+### User-assigned managed identities
+
+For user-assigned managed identities, the developer needs to pass either the client ID, full resource identifier, or the object ID of the managed identity when creating ManagedIdentityApplication.
+
+Like in the case for system-assigned managed identities, ` acquireToken` is called with the resource to acquire a token for, such as `https://management.azure.com`.
+
+```typescript
+const managedIdentityIdParams: ManagedIdentityIdParams = {
+    userAssignedClientId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+};
+
+const config: ManagedIdentityConfiguration = {
+    managedIdentityIdParams,
+    // optional
+    system: {
+        loggerOptions: {
+            logLevel: LogLevel.Verbose,
+        } as LoggerOptions,
+    } as NodeSystemOptions,
+};
+
+const userAssignedClientIdManagedIdentityApplication: ManagedIdentityApplication =
+    new ManagedIdentityApplication(config);
+
+const managedIdentityRequestParams: ManagedIdentityRequestParams = {
+    resource: "https://management.azure.com",
+};
+
+const response: AuthenticationResult =
+    await userAssignedClientIdManagedIdentityApplication.acquireToken(
+        managedIdentityRequestParams
+    );
+console.log(response);
+```
+
+## Caching
+
+MSALJS caches tokens from managed identity in memory. There is no eviction, but memory is not a concern because a limited number of managed identities can be defined. Cache extensibility is not supported in this scenario because tokens should not be shared between machines.
+
+## Troubleshooting
+
+For failed requests the error response contains a correlation ID that can be used for further diagnostics and log analysis. Keep in mind that the correlation IDs generated in MSALJS or passed into MSAL are different than the one returned in server error responses, as MSALJS cannot pass the correlation ID to managed identity token acquisition endpoints.
+
+### Potential errors
+
+#### `ManagedIdentityError` Error Code: `invalid_resource` Error Message: The supplied resource is an invalid URL.
+
+This exception might mean that the resource you are trying to acquire a token for is either not supported or is provided using the wrong resource ID format. Examples of correct resource ID formats include `https://management.azure.com/.default`, `https://management.azure.com`, and `https://graph.microsoft.com`.