Revise MSI v2 token revocation spec to focus on certificate revocation #5498
Conversation
Updated the document to reflect changes from 'Short-Lived Credential (SLC)' to 'Certificate' terminology and clarified the handling of certificate revocation scenarios.
docs/msi_v2/msiv2_revocation_spec.md
Outdated
| participant eSTS | ||
|
|
||
| Application ->> MSAL: 1. Request Access Token | ||
| MSAL ->> IMDS: 2. Request Certificate |
There was a problem hiding this comment.
The CSR metadata request is part of the flow. I think you should add it here.
There was a problem hiding this comment.
I still don't see it
| MSAL ->> eSTS: 4. Exchange Certificate for Access Token | ||
| eSTS -->> MSAL: 5. Response (HTTP 200 / error) | ||
|
|
||
| alt Token Revoked / Attestation invalid |
There was a problem hiding this comment.
both alts are the same except for 5a and 5b. Do you need to repeat the entire portion of the graph after those sections? Can you just group 5a and 5b together on the graph?
There was a problem hiding this comment.
these are two different error conditions
There was a problem hiding this comment.
Please explain the difference to me. Why aren't the diagrams the same for each condition?
| participant Application | ||
| participant MSAL | ||
| participant IMDS | ||
| participant eSTS |
There was a problem hiding this comment.
Why is there a "IMDS/eSTS" section? Why not point towards the already existing "IMDS" and "eSTS" sections?
There was a problem hiding this comment.
one is for cert revocation, that MSAL handles internally. The other is for token revocation.
There was a problem hiding this comment.
This isn't clear on the diagram. Can you use this wording on the diagram?
| | **AADSTS1000610–14 Auto-Remediation (Retry Fails)** | Same initial condition as above. New cert minted, retry still fails deterministically (e.g., repeated same code). | Failure surfaced after retry. (`CredentialOutcome=Retry Failed`) | | ||
| | **Unspecified Credential Issue** | eSTS returns `invalid_client` without codes. MSAL forces new certificate and retries. | Token succeeds or failure surfaced (assert correct `CredentialOutcome`). | | ||
| | **Claims Challenge Path** | Resource 401 with claims; app supplies claims; MSAL re-mints cert (`bypass_cache=true`) and retries with claims. | New token with claims. (`CredentialOutcome=Success`) | | ||
| | **IMDS/IssueCredential Failure Path** | `/issuecredential` call fails (network / service / malformed). | Failure returned; no infinite retry. (`CredentialOutcome=Retry Failed` if after a retry attempt) | |
There was a problem hiding this comment.
specify which retry policy
There was a problem hiding this comment.
not sure I follow this comment
There was a problem hiding this comment.
You mention "retry" several times in this spec. I'm asking you: what retry policy are we using for these retries?
Updated revocation scenarios and clarified certificate request process.
| @@ -0,0 +1,196 @@ | |||
| # Certificate Revocation Specification | |||
There was a problem hiding this comment.
Is this going to be implemented for preview?
There was a problem hiding this comment.
no, this is not for preview.
|
|
||
| This document outlines the design and implementation details for **certificate and token revocation** in MSI V2 scenarios. | ||
|
|
||
| In the MSI v2 authentication flow, MSAL first obtains a credential (certificate) from IMDS and uses it to request a token from eSTS. In some cases, eSTS may respond with an error indicating that the certificate/attestation is no longer valid. When this occurs, **MSAL must obtain a new certificate** before retrying the token request with eSTS. |
There was a problem hiding this comment.
MSAL first "makes a CSR metadata request"
Updated the document to reflect changes from 'Short-Lived Credential (SLC)' to 'Certificate' terminology and clarified the handling of certificate revocation scenarios.
Fixes - Spec update
Changes proposed in this request
This pull request updates the documentation for MSI V2 credential revocation, clarifying and expanding the specification to focus on certificate revocation (rather than short-lived credentials) and aligning terminology, flows, error handling, and acceptance tests with current implementation and Azure AD error codes. The changes provide detailed guidance on how MSAL should handle certificate revocation, claims challenges, and telemetry.
Key documentation improvements:
Terminology and Flow Updates:
Error Handling and Remediation:
Claims Challenge Handling:
Acceptance Tests and Telemetry:
MsalMsiCounterto reflect the new tags and expected values for improved diagnostics.Testing
n/a
Performance impact
n/a
Documentation
n/a