Machine Learning Managed Identity now correctly uses MSI's 2017 API instead of the 2019 API (#7631)

Fixes #7597
Fixes #7627

Author: Robbie-Microsoft

change/@azure-msal-node-5da4bb96-46cf-43ee-bf4e-e2e181744c66.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Machine Learning Managed Identity now correctly uses MSI's 2017 API instead of the 2019 API #7631",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

lib/msal-node/src/client/ManagedIdentitySources/BaseManagedIdentitySource.ts

@@ -38,7 +38,8 @@ import { HttpClientWithRetries } from "../../network/HttpClientWithRetries.js";
  * Managed Identity User Assigned Id Query Parameter Names
  */
 export const ManagedIdentityUserAssignedIdQueryParameterNames = {
-    MANAGED_IDENTITY_CLIENT_ID: "client_id",
+    MANAGED_IDENTITY_CLIENT_ID_2017: "clientid", // 2017-09-01 API version
+    MANAGED_IDENTITY_CLIENT_ID: "client_id", // 2019+ API versions
     MANAGED_IDENTITY_OBJECT_ID: "object_id",
     MANAGED_IDENTITY_RESOURCE_ID_IMDS: "msi_res_id",
     MANAGED_IDENTITY_RESOURCE_ID_NON_IMDS: "mi_res_id",
@@ -227,20 +228,26 @@ export abstract class BaseManagedIdentitySource {
 
     public getManagedIdentityUserAssignedIdQueryParameterKey(
         managedIdentityIdType: ManagedIdentityIdType,
-        imds?: boolean
+        isImds?: boolean,
+        usesApi2017?: boolean
     ): string {
         switch (managedIdentityIdType) {
             case ManagedIdentityIdType.USER_ASSIGNED_CLIENT_ID:
                 this.logger.info(
-                    "[Managed Identity] Adding user assigned client id to the request."
+                    `[Managed Identity] [API version ${
+                        usesApi2017 ? "2017+" : "2019+"
+                    }] Adding user assigned client id to the request.`
                 );
-                return ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_CLIENT_ID;
+                // The Machine Learning source uses the 2017-09-01 API version, which uses "clientid" instead of "client_id"
+                return usesApi2017
+                    ? ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_CLIENT_ID_2017
+                    : ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_CLIENT_ID;
 
             case ManagedIdentityIdType.USER_ASSIGNED_RESOURCE_ID:
                 this.logger.info(
                     "[Managed Identity] Adding user assigned resource id to the request."
                 );
-                return imds
+                return isImds
                     ? ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_RESOURCE_ID_IMDS
                     : ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_RESOURCE_ID_NON_IMDS;
 

lib/msal-node/src/client/ManagedIdentitySources/MachineLearning.ts

@@ -120,7 +120,9 @@ export class MachineLearning extends BaseManagedIdentitySource {
         ) {
             request.queryParameters[
                 this.getManagedIdentityUserAssignedIdQueryParameterKey(
-                    managedIdentityId.idType
+                    managedIdentityId.idType,
+                    false, // isIMDS
+                    true // uses2017API
                 )
             ] = managedIdentityId.id;
         }

lib/msal-node/test/client/ManagedIdentitySources/AppService.spec.ts

@@ -58,6 +58,11 @@ describe("Acquires a token successfully via an App Service Managed Identity", ()
 
     describe("User Assigned", () => {
         test("acquires a User Assigned Client Id token", async () => {
+            const sendGetRequestAsyncSpy: jest.SpyInstance = jest.spyOn(
+                networkClient,
+                <any>"sendGetRequestAsync"
+            );
+
             const managedIdentityApplication: ManagedIdentityApplication =
                 new ManagedIdentityApplication(userAssignedClientIdConfig);
             expect(managedIdentityApplication.getManagedIdentitySource()).toBe(
@@ -68,10 +73,23 @@ describe("Acquires a token successfully via an App Service Managed Identity", ()
                 await managedIdentityApplication.acquireToken(
                     managedIdentityRequestParams
                 );
-
             expect(networkManagedIdentityResult.accessToken).toEqual(
                 DEFAULT_USER_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
             );
+
+            const url: URLSearchParams = new URLSearchParams(
+                sendGetRequestAsyncSpy.mock.lastCall[0]
+            );
+            expect(
+                url.has(
+                    ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_CLIENT_ID
+                )
+            ).toBe(true);
+            expect(
+                url.has(
+                    ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_CLIENT_ID_2017
+                )
+            ).toBe(false);
         });
 
         test("acquires a User Assigned Resource Id token", async () => {

lib/msal-node/test/client/ManagedIdentitySources/Imds.spec.ts

@@ -90,6 +90,11 @@ describe("Acquires a token successfully via an IMDS Managed Identity", () => {
 
     describe("User Assigned", () => {
         test("acquires a User Assigned Client Id token", async () => {
+            const sendGetRequestAsyncSpy: jest.SpyInstance = jest.spyOn(
+                networkClient,
+                <any>"sendGetRequestAsync"
+            );
+
             const managedIdentityApplication: ManagedIdentityApplication =
                 new ManagedIdentityApplication(userAssignedClientIdConfig);
             expect(managedIdentityApplication.getManagedIdentitySource()).toBe(
@@ -100,10 +105,23 @@ describe("Acquires a token successfully via an IMDS Managed Identity", () => {
                 await managedIdentityApplication.acquireToken(
                     managedIdentityRequestParams
                 );
-
             expect(networkManagedIdentityResult.accessToken).toEqual(
                 DEFAULT_USER_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
             );
+
+            const url: URLSearchParams = new URLSearchParams(
+                sendGetRequestAsyncSpy.mock.lastCall[0]
+            );
+            expect(
+                url.has(
+                    ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_CLIENT_ID
+                )
+            ).toBe(true);
+            expect(
+                url.has(
+                    ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_CLIENT_ID_2017
+                )
+            ).toBe(false);
         });
 
         test("acquires a User Assigned Object Id token", async () => {

lib/msal-node/test/client/ManagedIdentitySources/MachineLearning.spec.ts

@@ -57,6 +57,11 @@ describe("Acquires a token successfully via an Machine Learning Managed Identity
 
     describe("User Assigned", () => {
         test("acquires a User Assigned Client Id token", async () => {
+            const sendGetRequestAsyncSpy: jest.SpyInstance = jest.spyOn(
+                networkClient,
+                <any>"sendGetRequestAsync"
+            );
+
             const managedIdentityApplication: ManagedIdentityApplication =
                 new ManagedIdentityApplication(userAssignedClientIdConfig);
             expect(managedIdentityApplication.getManagedIdentitySource()).toBe(
@@ -71,6 +76,20 @@ describe("Acquires a token successfully via an Machine Learning Managed Identity
             expect(networkManagedIdentityResult.accessToken).toEqual(
                 DEFAULT_USER_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
             );
+
+            const url: URLSearchParams = new URLSearchParams(
+                sendGetRequestAsyncSpy.mock.lastCall[0]
+            );
+            expect(
+                url.has(
+                    ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_CLIENT_ID_2017
+                )
+            ).toBe(true);
+            expect(
+                url.has(
+                    ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_CLIENT_ID
+                )
+            ).toBe(false);
         });
 
         test("acquires a User Assigned Resource Id token", async () => {

lib/msal-node/test/client/ManagedIdentitySources/ServiceFabric.spec.ts

@@ -64,6 +64,11 @@ describe("Acquires a token successfully via an App Service Managed Identity", ()
 
     describe("User Assigned", () => {
         test("acquires a User Assigned Client Id token", async () => {
+            const sendGetRequestAsyncSpy: jest.SpyInstance = jest.spyOn(
+                networkClient,
+                <any>"sendGetRequestAsync"
+            );
+
             const managedIdentityApplication: ManagedIdentityApplication =
                 new ManagedIdentityApplication(userAssignedClientIdConfig);
             expect(managedIdentityApplication.getManagedIdentitySource()).toBe(
@@ -74,10 +79,23 @@ describe("Acquires a token successfully via an App Service Managed Identity", ()
                 await managedIdentityApplication.acquireToken(
                     managedIdentityRequestParams
                 );
-
             expect(networkManagedIdentityResult.accessToken).toEqual(
                 DEFAULT_USER_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
             );
+
+            const url: URLSearchParams = new URLSearchParams(
+                sendGetRequestAsyncSpy.mock.lastCall[0]
+            );
+            expect(
+                url.has(
+                    ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_CLIENT_ID
+                )
+            ).toBe(true);
+            expect(
+                url.has(
+                    ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_CLIENT_ID_2017
+                )
+            ).toBe(false);
         });
         test("acquires a User Assigned Resource Id token", async () => {
             const sendGetRequestAsyncSpy: jest.SpyInstance = jest.spyOn(