Skip to content

[DO NOT MERGE] Add token revocation support for App Service #5493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[DO NOT MERGE] Add token revocation support for App Service #5493

wants to merge 1 commit into from
+9 −4

Conversation

gladjohn
Copy link
Contributor

@gladjohn gladjohn commented Sep 22, 2025
edited
Loading

Fixes #5495

App Service Managed Identity Token Revocation Enabled in Public Cloud (Sovereign Clouds ETA 2–3 Weeks)

⚠️🚨 CAUTION – Token Revocation Rollout 🚨⚠️

This PR enables Managed Identity Token Revocation in Azure App Service (public cloud).
👉 Sovereign cloud support is still pending (ETA ~2–3 weeks).

Fixes #5495

App Service Managed Identity Token Revocation Enabled in Public Cloud (Sovereign Clouds ETA 2–3 Weeks)

Changes proposed in this request
This change finalizes support for managed identity access token revocation behavior in Azure App Service for public cloud.
A validation was added to the AcquireMSITokenWithClaimsAsync test to ensure a claims challenge triggers issuance of a new access token (token with claims != cached token). This confirms cache bypass semantics required for revocation scenarios.

Important note – Sovereign (Gov/DoD/China) cloud rollout is in progress and expected within 2–3 weeks; no code changes needed for that enablement.

Key points:

  • ✅ Public cloud: Revocation-ready (claims challenge forces fresh token).
  • 🧪 Test enhancement: Added Assert.AreNotEqual between initial token and claims-challenge token.
  • 🌍 Sovereign clouds: Activation pending backend deployment; no further client changes anticipated.

Impact:

  • Improves confidence in revocation flows (conditional access / credential compromise responses).
  • No breaking changes; existing integrations continue to function.

Next steps (post-merge):

  • Monitor sovereign activation window.
  • Add release notes entry once sovereign rollout completes (no further code expected).

Testing

  • unit
  • integration

Performance impact

  • none

Documentation

  • All relevant documentation is updated.

@gladjohn gladjohn self-assigned this Sep 22, 2025
@gladjohn gladjohn requested a review from a team as a code owner September 22, 2025 19:40
@gladjohn gladjohn marked this pull request as draft September 22, 2025 19:42
@gladjohn gladjohn force-pushed the gladjohn/app_service_revoke branch from 9649e9e to 191d1f0 Compare September 22, 2025 20:10
@gladjohn gladjohn changed the title [DRAFT] Add token revocation support for App Service [DO NOT MERGE] Add token revocation support for App Service Sep 22, 2025
@gladjohn gladjohn marked this pull request as ready for review September 22, 2025 22:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MZOLN MZOLN MZOLN approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

@gladjohn gladjohn

Labels
do not merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Engineering task] Add token revocation support for App Service
2 participants
@gladjohn @MZOLN