Reworked Managed Identity Retry Policy to be per-request (#7603)

Robbie-Microsoft · web-flow · commit e9441365b74e · 2025-03-06T16:11:52.000-05:00
The same retry policy was previously being used for all Managed Identity sources and requests. The retry policy will now be based on the Managed Identity source, and therefore will be per-request. Future Work: Create an IMDS retry policy to address [this bug](AzureAD/microsoft-authentication-library-for-dotnet#4998).
diff --git a/change/@azure-msal-node-4a430a9c-a11a-4acd-bb18-f8eaa2dcdba6.json b/change/@azure-msal-node-4a430a9c-a11a-4acd-bb18-f8eaa2dcdba6.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Reworked Managed Identity Retry Policy to be per-request, which is based on the Managed Identity source. #7603",
+  "packageName": "@azure/msal-node",
+  "email": "rginsburg@microsoft.com",
+  "dependentChangeType": "patch"
+}
diff --git a/lib/msal-node/src/client/ManagedIdentityApplication.ts b/lib/msal-node/src/client/ManagedIdentityApplication.ts
@@ -111,7 +111,8 @@ export class ManagedIdentityApplication {
             this.logger,
             ManagedIdentityApplication.nodeStorage as NodeStorage,
             this.networkClient,
-            this.cryptoProvider
+            this.cryptoProvider,
+            this.config.disableInternalRetries
         );
     }
 
diff --git a/lib/msal-node/src/client/ManagedIdentityClient.ts b/lib/msal-node/src/client/ManagedIdentityClient.ts
@@ -35,6 +35,7 @@ export class ManagedIdentityClient {
     private nodeStorage: NodeStorage;
     private networkClient: INetworkModule;
     private cryptoProvider: CryptoProvider;
+    private disableInternalRetries: boolean;
 
     private static identitySource?: BaseManagedIdentitySource;
     public static sourceName?: ManagedIdentitySourceNames;
@@ -43,12 +44,14 @@ export class ManagedIdentityClient {
         logger: Logger,
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
-        cryptoProvider: CryptoProvider
+        cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean
     ) {
         this.logger = logger;
         this.nodeStorage = nodeStorage;
         this.networkClient = networkClient;
         this.cryptoProvider = cryptoProvider;
+        this.disableInternalRetries = disableInternalRetries;
     }
 
     public async sendManagedIdentityTokenRequest(
@@ -64,6 +67,7 @@ export class ManagedIdentityClient {
                     this.nodeStorage,
                     this.networkClient,
                     this.cryptoProvider,
+                    this.disableInternalRetries,
                     managedIdentityId
                 );
         }
@@ -126,6 +130,7 @@ export class ManagedIdentityClient {
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
         cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean,
         managedIdentityId: ManagedIdentityId
     ): BaseManagedIdentitySource {
         const source =
@@ -134,35 +139,46 @@ export class ManagedIdentityClient {
                 nodeStorage,
                 networkClient,
                 cryptoProvider,
+                disableInternalRetries,
                 managedIdentityId
             ) ||
             AppService.tryCreate(
                 logger,
                 nodeStorage,
                 networkClient,
-                cryptoProvider
+                cryptoProvider,
+                disableInternalRetries
             ) ||
             MachineLearning.tryCreate(
                 logger,
                 nodeStorage,
                 networkClient,
-                cryptoProvider
+                cryptoProvider,
+                disableInternalRetries
             ) ||
             CloudShell.tryCreate(
                 logger,
                 nodeStorage,
                 networkClient,
                 cryptoProvider,
+                disableInternalRetries,
                 managedIdentityId
             ) ||
             AzureArc.tryCreate(
                 logger,
                 nodeStorage,
                 networkClient,
                 cryptoProvider,
+                disableInternalRetries,
                 managedIdentityId
             ) ||
-            Imds.tryCreate(logger, nodeStorage, networkClient, cryptoProvider);
+            Imds.tryCreate(
+                logger,
+                nodeStorage,
+                networkClient,
+                cryptoProvider,
+                disableInternalRetries
+            );
         if (!source) {
             throw createManagedIdentityError(
                 ManagedIdentityErrorCodes.unableToCreateSource
diff --git a/lib/msal-node/src/client/ManagedIdentitySources/AppService.ts b/lib/msal-node/src/client/ManagedIdentitySources/AppService.ts
@@ -34,10 +34,17 @@ export class AppService extends BaseManagedIdentitySource {
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
         cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean,
         identityEndpoint: string,
         identityHeader: string
     ) {
-        super(logger, nodeStorage, networkClient, cryptoProvider);
+        super(
+            logger,
+            nodeStorage,
+            networkClient,
+            cryptoProvider,
+            disableInternalRetries
+        );
 
         this.identityEndpoint = identityEndpoint;
         this.identityHeader = identityHeader;
@@ -60,7 +67,8 @@ export class AppService extends BaseManagedIdentitySource {
         logger: Logger,
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
-        cryptoProvider: CryptoProvider
+        cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean
     ): AppService | null {
         const [identityEndpoint, identityHeader] =
             AppService.getEnvironmentVariables();
@@ -90,6 +98,7 @@ export class AppService extends BaseManagedIdentitySource {
             nodeStorage,
             networkClient,
             cryptoProvider,
+            disableInternalRetries,
             identityEndpoint,
             identityHeader
         );
diff --git a/lib/msal-node/src/client/ManagedIdentitySources/AzureArc.ts b/lib/msal-node/src/client/ManagedIdentitySources/AzureArc.ts
@@ -74,9 +74,16 @@ export class AzureArc extends BaseManagedIdentitySource {
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
         cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean,
         identityEndpoint: string
     ) {
-        super(logger, nodeStorage, networkClient, cryptoProvider);
+        super(
+            logger,
+            nodeStorage,
+            networkClient,
+            cryptoProvider,
+            disableInternalRetries
+        );
 
         this.identityEndpoint = identityEndpoint;
     }
@@ -122,6 +129,7 @@ export class AzureArc extends BaseManagedIdentitySource {
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
         cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean,
         managedIdentityId: ManagedIdentityId
     ): AzureArc | null {
         const [identityEndpoint, imdsEndpoint] =
@@ -181,6 +189,7 @@ export class AzureArc extends BaseManagedIdentitySource {
             nodeStorage,
             networkClient,
             cryptoProvider,
+            disableInternalRetries,
             identityEndpoint
         );
     }
diff --git a/lib/msal-node/src/client/ManagedIdentitySources/BaseManagedIdentitySource.ts b/lib/msal-node/src/client/ManagedIdentitySources/BaseManagedIdentitySource.ts
@@ -32,6 +32,7 @@ import {
     createManagedIdentityError,
 } from "../../error/ManagedIdentityError.js";
 import { isIso8601 } from "../../utils/TimeUtils.js";
+import { HttpClientWithRetries } from "../../network/HttpClientWithRetries.js";
 
 /**
  * Managed Identity User Assigned Id Query Parameter Names
@@ -50,17 +51,20 @@ export abstract class BaseManagedIdentitySource {
     private nodeStorage: NodeStorage;
     private networkClient: INetworkModule;
     private cryptoProvider: CryptoProvider;
+    private disableInternalRetries: boolean;
 
     constructor(
         logger: Logger,
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
-        cryptoProvider: CryptoProvider
+        cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean
     ) {
         this.logger = logger;
         this.nodeStorage = nodeStorage;
         this.networkClient = networkClient;
         this.cryptoProvider = cryptoProvider;
+        this.disableInternalRetries = disableInternalRetries;
     }
 
     abstract createRequest(
@@ -151,20 +155,32 @@ export abstract class BaseManagedIdentitySource {
                 networkRequest.computeParametersBodyString();
         }
 
+        /**
+         * Initializes the network client helper based on the retry policy configuration.
+         * If internal retries are disabled, it uses the provided network client directly.
+         * Otherwise, it wraps the network client with an HTTP client that supports retries.
+         */
+        const networkClientHelper: INetworkModule = this.disableInternalRetries
+            ? this.networkClient
+            : new HttpClientWithRetries(
+                  this.networkClient,
+                  networkRequest.retryPolicy
+              );
+
         const reqTimestamp = TimeUtils.nowSeconds();
         let response: NetworkResponse<ManagedIdentityTokenResponse>;
         try {
             // Sources that send POST requests: Cloud Shell
             if (networkRequest.httpMethod === HttpMethod.POST) {
                 response =
-                    await this.networkClient.sendPostRequestAsync<ManagedIdentityTokenResponse>(
+                    await networkClientHelper.sendPostRequestAsync<ManagedIdentityTokenResponse>(
                         networkRequest.computeUri(),
                         networkRequestOptions
                     );
                 // Sources that send GET requests: App Service, Azure Arc, IMDS, Service Fabric
             } else {
                 response =
-                    await this.networkClient.sendGetRequestAsync<ManagedIdentityTokenResponse>(
+                    await networkClientHelper.sendGetRequestAsync<ManagedIdentityTokenResponse>(
                         networkRequest.computeUri(),
                         networkRequestOptions
                     );
@@ -189,7 +205,7 @@ export abstract class BaseManagedIdentitySource {
         const serverTokenResponse: ServerAuthorizationTokenResponse =
             await this.getServerTokenResponseAsync(
                 response,
-                this.networkClient,
+                networkClientHelper,
                 networkRequest,
                 networkRequestOptions
             );
diff --git a/lib/msal-node/src/client/ManagedIdentitySources/CloudShell.ts b/lib/msal-node/src/client/ManagedIdentitySources/CloudShell.ts
@@ -33,9 +33,16 @@ export class CloudShell extends BaseManagedIdentitySource {
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
         cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean,
         msiEndpoint: string
     ) {
-        super(logger, nodeStorage, networkClient, cryptoProvider);
+        super(
+            logger,
+            nodeStorage,
+            networkClient,
+            cryptoProvider,
+            disableInternalRetries
+        );
 
         this.msiEndpoint = msiEndpoint;
     }
@@ -52,6 +59,7 @@ export class CloudShell extends BaseManagedIdentitySource {
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
         cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean,
         managedIdentityId: ManagedIdentityId
     ): CloudShell | null {
         const [msiEndpoint] = CloudShell.getEnvironmentVariables();
@@ -89,6 +97,7 @@ export class CloudShell extends BaseManagedIdentitySource {
             nodeStorage,
             networkClient,
             cryptoProvider,
+            disableInternalRetries,
             msiEndpoint
         );
     }
diff --git a/lib/msal-node/src/client/ManagedIdentitySources/Imds.ts b/lib/msal-node/src/client/ManagedIdentitySources/Imds.ts
@@ -34,9 +34,16 @@ export class Imds extends BaseManagedIdentitySource {
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
         cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean,
         identityEndpoint: string
     ) {
-        super(logger, nodeStorage, networkClient, cryptoProvider);
+        super(
+            logger,
+            nodeStorage,
+            networkClient,
+            cryptoProvider,
+            disableInternalRetries
+        );
 
         this.identityEndpoint = identityEndpoint;
     }
@@ -45,7 +52,8 @@ export class Imds extends BaseManagedIdentitySource {
         logger: Logger,
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
-        cryptoProvider: CryptoProvider
+        cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean
     ): Imds {
         let validatedIdentityEndpoint: string;
 
@@ -88,6 +96,7 @@ export class Imds extends BaseManagedIdentitySource {
             nodeStorage,
             networkClient,
             cryptoProvider,
+            disableInternalRetries,
             validatedIdentityEndpoint
         );
     }
diff --git a/lib/msal-node/src/client/ManagedIdentitySources/MachineLearning.ts b/lib/msal-node/src/client/ManagedIdentitySources/MachineLearning.ts
@@ -31,10 +31,17 @@ export class MachineLearning extends BaseManagedIdentitySource {
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
         cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean,
         msiEndpoint: string,
         secret: string
     ) {
-        super(logger, nodeStorage, networkClient, cryptoProvider);
+        super(
+            logger,
+            nodeStorage,
+            networkClient,
+            cryptoProvider,
+            disableInternalRetries
+        );
 
         this.msiEndpoint = msiEndpoint;
         this.secret = secret;
@@ -54,7 +61,8 @@ export class MachineLearning extends BaseManagedIdentitySource {
         logger: Logger,
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
-        cryptoProvider: CryptoProvider
+        cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean
     ): MachineLearning | null {
         const [msiEndpoint, secret] = MachineLearning.getEnvironmentVariables();
 
@@ -83,6 +91,7 @@ export class MachineLearning extends BaseManagedIdentitySource {
             nodeStorage,
             networkClient,
             cryptoProvider,
+            disableInternalRetries,
             msiEndpoint,
             secret
         );
diff --git a/lib/msal-node/src/client/ManagedIdentitySources/ServiceFabric.ts b/lib/msal-node/src/client/ManagedIdentitySources/ServiceFabric.ts
@@ -34,10 +34,17 @@ export class ServiceFabric extends BaseManagedIdentitySource {
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
         cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean,
         identityEndpoint: string,
         identityHeader: string
     ) {
-        super(logger, nodeStorage, networkClient, cryptoProvider);
+        super(
+            logger,
+            nodeStorage,
+            networkClient,
+            cryptoProvider,
+            disableInternalRetries
+        );
 
         this.identityEndpoint = identityEndpoint;
         this.identityHeader = identityHeader;
@@ -66,6 +73,7 @@ export class ServiceFabric extends BaseManagedIdentitySource {
         nodeStorage: NodeStorage,
         networkClient: INetworkModule,
         cryptoProvider: CryptoProvider,
+        disableInternalRetries: boolean,
         managedIdentityId: ManagedIdentityId
     ): ServiceFabric | null {
         const [identityEndpoint, identityHeader, identityServerThumbprint] =
@@ -107,6 +115,7 @@ export class ServiceFabric extends BaseManagedIdentitySource {
             nodeStorage,
             networkClient,
             cryptoProvider,
+            disableInternalRetries,
             identityEndpoint,
             identityHeader
         );
diff --git a/lib/msal-node/src/config/Configuration.ts b/lib/msal-node/src/config/Configuration.ts
diff --git a/lib/msal-node/src/config/ManagedIdentityRequestParameters.ts b/lib/msal-node/src/config/ManagedIdentityRequestParameters.ts
diff --git a/lib/msal-node/src/utils/Constants.ts b/lib/msal-node/src/utils/Constants.ts

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,8 @@ export class ManagedIdentityApplication {`
`111`	`111`	`this.logger,`
`112`	`112`	`ManagedIdentityApplication.nodeStorage as NodeStorage,`
`113`	`113`	`this.networkClient,`
`114`		`- this.cryptoProvider`
	`114`	`+ this.cryptoProvider,`
	`115`	`+ this.config.disableInternalRetries`
`115`	`116`	`);`
`116`	`117`	`}`
`117`	`118`