Skip to content

docs: WithClientClaims API design for NSP claims support#5982

Open
Robbie-Microsoft wants to merge 2 commits into
mainfrom
rginsburg/05_06_25
Open

docs: WithClientClaims API design for NSP claims support#5982
Robbie-Microsoft wants to merge 2 commits into
mainfrom
rginsburg/05_06_25

Conversation

@Robbie-Microsoft
Copy link
Copy Markdown
Contributor

@Robbie-Microsoft Robbie-Microsoft commented May 6, 2026

Summary

Design document for the proposed WithClientClaims() API to support client-originated claims (NSP / Network Security Perimeter) across MSIv1, MSIv2, cert-based, and FIC auth flows.

What's in this doc

  • Current state of claims handling in each auth flow (MSIv1, MSIv2, cert/FIC)
  • Gap analysis: why WithClaims() is the wrong tool for this scenario
  • Proposed WithClientClaims() API design with cache keying behavior
  • Dynamic claims options and tradeoffs
  • Open questions requiring input from IMDS and other teams

Context

Stemming from a discussion with the MSI team (Azure Redis Cache) requesting MSAL support for NSP claims. Please add comments directly to the doc.

Open questions needing input

  1. Is WithClientClaims the right name/signature?
  2. IMDS team: Does the MSIv2 ESTS endpoint accept a claims body parameter?
  3. Should the NSP claim be sent as claims (OIDC standard) or a different IMDS-specific param name?
  4. Rollout scope: all flows at once, or MSIv1 first?

@Robbie-Microsoft
docs: add WithClientClaims API design doc for NSP claims support
b609cf7 
Captures the proposed approach for supporting client-originated claims
(NSP/Network Security Perimeter) across MSIv1, MSIv2, cert-based, and
FIC auth flows. Documents the current state of each flow, the gap in
the existing WithClaims() API, and the design for a new
WithClientClaims() API with proper cache keying.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 6, 2026 17:07
@Robbie-Microsoft Robbie-Microsoft requested a review from a team as a code owner May 6, 2026 17:07
@Robbie-Microsoft Robbie-Microsoft mentioned this pull request May 6, 2026
Open
HarishRane
HarishRane reviewed May 6, 2026
View reviewed changes
Comment thread docs/nsp_claims_design.md

Azure Redis Cache operates in a Backing resource VM/VMSS and uses MSAL with Managed Identity credentials to acquire tokens from ESTS. The Redis team has requested that MSAL support sending NSP (Network Security Perimeter) claims to IMDS, so that the resulting tokens contain the NSP claim required to access NSP-protected resources.

This document proposes a new `WithClientClaims()` API to support this scenario in a consistent, safe, and harmonized way across all MSAL auth flows.
Copy link
Copy Markdown

@HarishRane HarishRane May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why "new"? WithClientClaims() is existing supported API right?

Copy link
Copy Markdown
Member

@trwalke trwalke May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, WithClientClaims() already exists as an obsolete api. Adding overloads here will make it not obsolete anymore, which can be confusing.

Copy link
Copy Markdown
Contributor Author

@Robbie-Microsoft Robbie-Microsoft May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clarified in the latest design doc commit (bd2eed1). The existing obsolete WithClientClaims is an app-level method on ConfidentialClientApplicationBuilder that takes (X509Certificate2, IDictionary<string,string>, ...) — it signs extra claims into the client assertion JWT. The new API described here is a request-level method that takes (string claimsJson) and lives on the request builders. They're on different classes with different signatures and coexist without C# ambiguity. The obsolete app-level overload is unaffected. Added a naming note to the design doc explaining this.

Copy link
Copy Markdown
Member

@trwalke trwalke May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok cool. so it should be alright then.

HarishRane
HarishRane reviewed May 6, 2026
View reviewed changes
Comment thread docs/nsp_claims_design.md
@Robbie-Microsoft Robbie-Microsoft mentioned this pull request May 11, 2026
Open
@Robbie-Microsoft
docs: add call-site snippet, naming note, and request-level rationale
bd2eed1 
- Clarify that the new WithClientClaims(string) request-level API coexists
  without conflict with the existing obsolete app-level WithClientClaims
  (X509Certificate2, IDictionary) — different classes, different signatures
- Add NSP SDK call-site code snippet showing claims sourced at request time,
  making the request-level design concrete and demonstrating why app-level
  placement would not support dynamic enforcement-mode changes
- Add explanation of why per-request placement is correct: enforcement mode
  changes produce new claims; request-level avoids needing to recreate the app

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trwalke trwalke trwalke approved these changes

Copilot code review Copilot Awaiting requested review from Copilot

+1 more reviewer

@HarishRane HarishRane HarishRane left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Robbie-Microsoft @trwalke @HarishRane