Duplicated correlation ID in both query parameter and form body

[clnv]

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

4.14.0-beta.1

Wrapper Library

Not Applicable

Wrapper Library Version

none

Public or Confidential Client?

Public

Description

When using ClientCredentialClient to acquire a token, the request sent to ARM includes the client-request-id in both the URL query parameters and the form body. This duplication creates ambiguity in the request.

And other language SDKs (e.g., Go) do not set this field in both places, which suggests this might be an inconsistency in the implementation.

microsoft-authentication-library-for-js/lib/msal-node/src/client/ClientCredentialClient.ts

Lines 376 to 379 in 383a6c5

	const correlationId =
	request.correlationId ||
	this.config.cryptoInterface.createNewGuid();
	RequestParameterBuilder.addCorrelationId(parameters, correlationId);

microsoft-authentication-library-for-js/lib/msal-common/src/client/BaseClient.ts

Lines 308 to 311 in 383a6c5

	RequestParameterBuilder.addCorrelationId(
	parameters,
	request.correlationId
	);

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

{}

Relevant Code Snippets

{}

Reproduction Steps

N/A

Expected Behavior

The client-request-id should only appear in one location to avoid confusion and ensure consistency.

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

None (Server)

Regression

No response