Skip to content

[Feature Request] Audit all /token parameters #5361

New issue
New issue
Open
Open
[Feature Request] Audit all /token parameters#5361
Labels
Feature Requestconfidential-client
@bgavrilMS

Description

@bgavrilMS
bgavrilMS
opened on Jun 24, 2025

MSAL client type

Confidential, Managed identity

Problem statement

Extensiblity APIs can lead to bad token caching, where ppl don't realize that tokens aren't actually cached by all params. We need to limit this by enhancing caching, by making extensiblity APIs not for production (they should be already):

  • make OnBeforeTokenRequest experimental
  • if WithExtraQueryParameters, cache tokens by those params
  • introduce WithBodyParamters, cache tokens by those params (maybe have an allow-list of params that do not impact caching)
  • audit ID.Web's and other SDKs usage of OnBeforeTokenRequest and how caching is impacted.
  • See IAuthenticationOperation GetTokenParameters - either deprecate it or make it use WithBodyParamters

Proposed solution

No response

Alternatives

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Feature Requestconfidential-client

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions