question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[FEATURE REQ] Azure.Identity: Access Token Caching

See original GitHub issue

Library or service name. What library or service is this request related to? [e.g. Azure.Storage.Blobs] Azure.Identity

Is your feature request related to a problem? Please describe. What feature would you like to get added? What problem is it solving?

We wanted to directly use managed identity to get an access token and use it for authentication in service to service calls. The current recommendation is to use the MSAL library which uses an app registration to get the access token. With app registration, we need to securely generate, renew and secure the credentials (a secret or cert) and then use the credentials in our application code for authenticating to the app registration. We could use the managed identity directly for getting the access token without having to worry about credentials by var managedIdentityCredential = new ManagedIdentityCredential(ManagedIdentityClientId); string token = (await managedIdentityCredential.GetTokenAsync(new TokenRequestContext(new[] { scope})).ConfigureAwait(false)).Token;

But the issue is that with Managed Identity credentials, the token caching and refresh has to be handled by the caller. The logic for token resiliency, which is inbuilt in MSAL has to be implemented by the caller. MSAL offers benefit of token resiliency, refreshing the token much earlier than its expiry, but using the old token in case of Aad outage providing guaranteed downtime in case of AAD outage. Taken together, implementing all this at the level of caller is too much work, generating greater scope for error and might require frequent changes to this logic in case the lifetimes or properties on the token change.

Will caching, refresh and resiliency be supported in future versions of Azure.Idenitity so that Manged Identity can be used directly for service to service calls? Please let me know if such a functionality already exists and I am missing something

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:18
  • Comments:18 (9 by maintainers)

github_iconTop GitHub Comments

4reactions
poyadav2001commented, Feb 23, 2021

Thank you Christopher for the information. As it is recommended that we use MSAL for service to service calls, and the added functionality it offers, we will use that at the moment. This was originally a feature request, I am suggesting a client in Azure Identity similar to MSAL so that we can get access tokens to call protected APIs. This will eliminate the need for credentials which need to be maintained in the case of MSAL and we can get token directly from managed identity endpoint The Azure storage blob client or Secret client are for accessing azure storage or Azure Key vault. I was requesting a client to make calls to protected APIs or or other Azure app services

3reactions
jesperkristensencommented, May 2, 2021

I have looked into using BearerTokenAuthenticationPolicy for caching TokenCredential for our internal service-to-service calls using HttpClient, but I gave up because BearerTokenAuthenticationPolicy is too coupled with a lot of HttpPipeline stuff, which seemed too complicated to use. So we are currently using TokenCredential without caching it for now.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Acquire and cache tokens with Microsoft Authentication ...
Learn how to acquire an access token silently (from the token cache) using the Microsoft Authentication Library for . NET (MSAL.NET).
Read more >
Does Azure.Identity library (e.g. DefaultAzureCredential ...
Azure SDKs themselves have a token caching feature in their HTTP pipeline so the credentials aren't technically required to do caching.
Read more >
Does Azure.Identity library (e.g. DefaultAzureCredential ...
Azure SDKs themselves have a token caching feature in their HTTP pipeline so the credentials aren't technically required to do caching.
Read more >
azure-identity
Token caching is a feature provided by the Azure Identity library that allows apps to: Cache tokens in memory (default) or on disk...
Read more >
Acquire an OAuth token
The main function in AzureAuth is get_azure_token , which obtains an OAuth token from AAD: library(AzureAuth) token <- get_azure_token(resource="myresource ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found