Why does Microsoft.Identity.Web adds x-client-brkrver and other headers?

[marco987654]

I noticed that Microsoft.Identity.Web adds a number of additional parameters when redirecting to (in our case) AD B2C, like:

x-client-brkrver = IDWeb.1.16.1.0

And (because of the user of MSAL.NET):
x-client-SKU = ID_NETSTANDARD2_0
x-client-ver = 6.12.2.0

In my opinion, this exposes details of the version of Microsoft.Identity.Web used by our application. In case of any vulnerability found in this version, this makes us more vulnerable than without this information being disclosed.
Therefore I wonder,

• Why is this information added to the request?

I am able to remove the x-client-brkrver parameter in the OnRedirectToIdentityProvider event. Is it a problem when we do so?

[bgavrilMS]

Let me try to shed some light on the headers sent by MSAL to the Identity Provider

header	data	why?
x-client-sku	An identifier of the library used (e.g. MSAL .NET for .NET Core, MSAL .NET for UWP, MSAL Java, MSAL python)	see below
x-client-ver	The version of the library used	sky and ver are used by AAD to enable new features that MSALs support, for example AAD will send a "refresh_in" value along the "expires_in" in the token response to certain MSALs. Sadly, some 3rd party libraries are very fragile and simply adding a new field in the JSON response breaks them (!!!), so an "opt-in" mechanism is needed.
x-client-OS	A descriptor of the OS. E.g. "Windows Server 2019" or "Windows 10" or "Android 10"	This is used only for public client scenarios (e.g. desktop or mobile apps), and helps AAD deal with "managed device policies". For example a Win 8 machine proves that it is domain joined in a different way than a Win 10 machine. AAD emits a different challenge for each. Also used for support tickets, to tell if a feature is not supported on an OS (typically on mobile). I am not aware of any use of this on confidential client.
x-client-CPU	ARM, x86, x64	I am not aware of this field being used for anything.
x-client-DM	Iphone 13	Device Model. Only sent for mobile. Used for troubleshooting failed requests.
x-client-brkrver	IDWeb.1.16.1.0	Version of id web. Afaik this is used only for telemetry and support.

@jennyf19 , @jmprieur - do you know if x-client-brkrver is used for anything else? Are the x-client-sku / x-client-ver values those of ASP.NET Core's, when making the request to the /authorize endpoint?

@marco987654 - when we detect a security issue in the SDK (which thankfully does not happen often), MSRC does attempt to contact all affected application owners. It uses the x-client-sku / x-client-ver to understand who is affected and then based on the client id Microsoft can contact the app owners. I haven't been involved in an SDK security incident in a long time, so things might have changed, but this is how things were some time ago. If you remove x-client-brkver, Microsoft will not be able to tell if you are affected by a potential issue.