Add MSAL client metadata headers to IMDS managed identity requests (#8529)

IMDS managed identity token requests only sent `Metadata: true`,
preventing IMDS from forwarding client telemetry to ESTS. Aligns with
the fix already shipped in MSAL.NET ([PR
#5912](AzureAD/microsoft-authentication-library-for-dotnet#5912)).

### Changes

- **`Constants.ts`** — Added `CLIENT_SKU`, `CLIENT_VER`, and
`CLIENT_REQUEST_ID` entries to `ManagedIdentityHeaders` so header
strings are defined as named constants
- **`Imds.ts`** — Added `x-client-SKU`, `x-client-VER`, and
`x-ms-client-request-id` headers to `createRequest()` using
`ManagedIdentityHeaders` constants, `Constants.MSAL_SKU`,
`packageMetadata.version`, and `cryptoProvider.createNewGuid()`
- **`BaseManagedIdentitySource.ts`** — Changed `cryptoProvider`
visibility from `private` to `protected` so `Imds` can generate
correlation GUIDs
- **`Imds.spec.ts`** — Added header assertions to three existing tests
(UAMI Client Id, UAMI Resource Id, SAMI) using `ManagedIdentityHeaders`
and `NodeConstants.MSAL_SKU` constants with UUID regex validation
- **`managed-identity.md`** — Updated Troubleshooting section to reflect
that IMDS requests now include `x-ms-client-request-id` for end-to-end
tracing

```ts
request.headers[ManagedIdentityHeaders.METADATA_HEADER_NAME] = "true";
request.headers[ManagedIdentityHeaders.CLIENT_SKU] = NodeConstants.MSAL_SKU;
request.headers[ManagedIdentityHeaders.CLIENT_VER] = packageVersion;
request.headers[ManagedIdentityHeaders.CLIENT_REQUEST_ID] = this.cryptoProvider.createNewGuid();
```

> **Note:** Uses `x-ms-client-request-id` — not `client-request-id`.
IMDS requires the `x-ms-` prefix.

> **Note:** Uses `Constants.MSAL_SKU` (`"msal.js.node"`) for
`x-client-SKU` to align with existing msal-node AAD telemetry, and
canonical `x-client-VER` casing matching
`AADServerParamKeys.X_CLIENT_VER`.

No changes to CloudShell, App Service, Azure Arc, Service Fabric, or any
other managed identity source.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 4 people

change/@azure-msal-node-39d83ede-7d8e-4c34-a603-e12401614e47.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Add MSAL client metadata headers (x-client-SKU, x-client-VER, x-ms-client-request-id) to IMDS managed identity requests [#8529](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/8529)",
+  "packageName": "@azure/msal-node",
+  "email": "nicagra@microsoft.com",
+  "dependentChangeType": "patch"
+}

lib/msal-node/docs/managed-identity.md

@@ -110,7 +110,7 @@ MSALJS caches tokens from managed identity in memory. There is no eviction, but
 
 ## Troubleshooting
 
-For failed requests the error response contains a correlation ID that can be used for further diagnostics and log analysis. Keep in mind that the correlation IDs generated in MSALJS or passed into MSAL are different than the one returned in server error responses, as MSALJS cannot pass the correlation ID to managed identity token acquisition endpoints.
+For failed requests the error response contains a correlation ID that can be used for further diagnostics and log analysis. Note that for IMDS requests, MSALJS sends an `x-ms-client-request-id` header that IMDS can forward to ESTS, enabling end-to-end request tracing. For other managed identity sources, the correlation IDs generated in MSALJS or passed into MSAL may differ from the one returned in server error responses.
 
 ### Potential errors
 

lib/msal-node/src/client/ManagedIdentitySources/BaseManagedIdentitySource.ts

@@ -90,6 +90,15 @@ export abstract class BaseManagedIdentitySource {
         this.disableInternalRetries = disableInternalRetries;
     }
 
+    /**
+     * Generates a new correlation ID for request tracing.
+     *
+     * @returns A new GUID string for use as a correlation or request ID
+     */
+    protected createCorrelationId(): string {
+        return this.cryptoProvider.createNewGuid();
+    }
+
     /**
      * Creates a managed identity request with source-specific parameters.
      * This method must be implemented by concrete managed identity sources to define

lib/msal-node/src/client/ManagedIdentitySources/Imds.ts

@@ -9,6 +9,7 @@ import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRe
 import { BaseManagedIdentitySource } from "./BaseManagedIdentitySource.js";
 import { CryptoProvider } from "../../crypto/CryptoProvider.js";
 import {
+    Constants as NodeConstants,
     HttpMethod,
     ManagedIdentityEnvironmentVariableNames,
     ManagedIdentityHeaders,
@@ -18,6 +19,7 @@ import {
 } from "../../utils/Constants.js";
 import { NodeStorage } from "../../cache/NodeStorage.js";
 import { ImdsRetryPolicy } from "../../retry/ImdsRetryPolicy.js";
+import { version as packageVersion } from "../../packageMetadata.js";
 
 // Documentation for IMDS is available at https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
 
@@ -167,6 +169,11 @@ export class Imds extends BaseManagedIdentitySource {
             );
 
         request.headers[ManagedIdentityHeaders.METADATA_HEADER_NAME] = "true";
+        request.headers[ManagedIdentityHeaders.CLIENT_SKU] =
+            NodeConstants.MSAL_SKU;
+        request.headers[ManagedIdentityHeaders.CLIENT_VER] = packageVersion;
+        request.headers[ManagedIdentityHeaders.CLIENT_REQUEST_ID] =
+            this.createCorrelationId();
 
         request.queryParameters[ManagedIdentityQueryParameters.API_VERSION] =
             IMDS_API_VERSION;

lib/msal-node/src/utils/Constants.ts

@@ -3,6 +3,7 @@
  * Licensed under the MIT License.
  */
 
+import { AADServerParamKeys } from "@azure/msal-common/node";
 import { DefaultManagedIdentityRetryPolicy } from "../retry/DefaultManagedIdentityRetryPolicy.js";
 import { ImdsRetryPolicy } from "../retry/ImdsRetryPolicy.js";
 
@@ -19,6 +20,9 @@ export const ManagedIdentityHeaders = {
     METADATA_HEADER_NAME: "Metadata",
     APP_SERVICE_SECRET_HEADER_NAME: "X-IDENTITY-HEADER",
     ML_AND_SF_SECRET_HEADER_NAME: "secret",
+    CLIENT_SKU: AADServerParamKeys.X_CLIENT_SKU,
+    CLIENT_VER: AADServerParamKeys.X_CLIENT_VER,
+    CLIENT_REQUEST_ID: "x-ms-client-request-id",
 } as const;
 export type ManagedIdentityHeaders =
     (typeof ManagedIdentityHeaders)[keyof typeof ManagedIdentityHeaders];

lib/msal-node/test/client/ManagedIdentitySources/Imds.spec.ts

@@ -36,8 +36,10 @@ import {
 } from "../../test_kit/ManagedIdentityTestUtils.js";
 import {
     DEFAULT_MANAGED_IDENTITY_ID,
+    ManagedIdentityHeaders,
     ManagedIdentityQueryParameters,
     ManagedIdentitySourceNames,
+    Constants as NodeConstants,
 } from "../../../src/utils/Constants.js";
 import {
     AccessTokenEntity,
@@ -62,6 +64,11 @@ import { NodeStorage } from "../../../src/cache/NodeStorage.js";
 import { CacheKVStore } from "../../../src/cache/serializer/SerializerTypes.js";
 import { ManagedIdentityUserAssignedIdQueryParameterNames } from "../../../src/client/ManagedIdentitySources/BaseManagedIdentitySource.js";
 import { ImdsRetryPolicy } from "../../../src/retry/ImdsRetryPolicy.js";
+import { version as packageVersion } from "../../../src/packageMetadata.js";
+
+const EXPECTED_SKU = NodeConstants.MSAL_SKU;
+const UUID_REGEX =
+    /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 
 describe("Acquires a token successfully via an IMDS Managed Identity", () => {
     // IMDS doesn't need environment variables because there is a default IMDS endpoint
@@ -115,6 +122,17 @@ describe("Acquires a token successfully via an IMDS Managed Identity", () => {
                     ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_CLIENT_ID_2017
                 )
             ).toBe(false);
+
+            const headers = sendGetRequestAsyncSpy.mock.lastCall[1].headers;
+            expect(headers[ManagedIdentityHeaders.CLIENT_SKU]).toBe(
+                EXPECTED_SKU
+            );
+            expect(headers[ManagedIdentityHeaders.CLIENT_VER]).toBe(
+                packageVersion
+            );
+            expect(headers[ManagedIdentityHeaders.CLIENT_REQUEST_ID]).toMatch(
+                UUID_REGEX
+            );
         });
 
         test("acquires a User Assigned Object Id token", async () => {
@@ -169,6 +187,17 @@ describe("Acquires a token successfully via an IMDS Managed Identity", () => {
                 )
             ).toEqual(MANAGED_IDENTITY_RESOURCE_ID);
 
+            const headers = sendGetRequestAsyncSpy.mock.lastCall[1].headers;
+            expect(headers[ManagedIdentityHeaders.CLIENT_SKU]).toBe(
+                EXPECTED_SKU
+            );
+            expect(headers[ManagedIdentityHeaders.CLIENT_VER]).toBe(
+                packageVersion
+            );
+            expect(headers[ManagedIdentityHeaders.CLIENT_REQUEST_ID]).toMatch(
+                UUID_REGEX
+            );
+
             jest.restoreAllMocks();
         });
     });
@@ -185,6 +214,11 @@ describe("Acquires a token successfully via an IMDS Managed Identity", () => {
         });
 
         test("acquires a token", async () => {
+            const sendGetRequestAsyncSpy: jest.SpyInstance = jest.spyOn(
+                networkClient,
+                <any>"sendGetRequestAsync"
+            );
+
             const networkManagedIdentityResult: AuthenticationResult =
                 await managedIdentityApplication.acquireToken(
                     managedIdentityRequestParams
@@ -194,6 +228,17 @@ describe("Acquires a token successfully via an IMDS Managed Identity", () => {
             expect(networkManagedIdentityResult.accessToken).toEqual(
                 DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
             );
+
+            const headers = sendGetRequestAsyncSpy.mock.lastCall[1].headers;
+            expect(headers[ManagedIdentityHeaders.CLIENT_SKU]).toBe(
+                EXPECTED_SKU
+            );
+            expect(headers[ManagedIdentityHeaders.CLIENT_VER]).toBe(
+                packageVersion
+            );
+            expect(headers[ManagedIdentityHeaders.CLIENT_REQUEST_ID]).toMatch(
+                UUID_REGEX
+            );
         });
 
         test("returns an already acquired token from the cache", async () => {