[FEATURE REQ] Azure.Identity: Access Token Caching
See original GitHub issueLibrary or service name. What library or service is this request related to? [e.g. Azure.Storage.Blobs] Azure.Identity
Is your feature request related to a problem? Please describe. What feature would you like to get added? What problem is it solving?
We wanted to directly use managed identity to get an access token and use it for authentication in service to service calls.
The current recommendation is to use the MSAL library which uses an app registration to get the access token.
With app registration, we need to securely generate, renew and secure the credentials (a secret or cert) and then use the credentials in our application code for authenticating to the app registration.
We could use the managed identity directly for getting the access token without having to worry about credentials by
var managedIdentityCredential = new ManagedIdentityCredential(ManagedIdentityClientId); string token = (await managedIdentityCredential.GetTokenAsync(new TokenRequestContext(new[] { scope})).ConfigureAwait(false)).Token;
But the issue is that with Managed Identity credentials, the token caching and refresh has to be handled by the caller. The logic for token resiliency, which is inbuilt in MSAL has to be implemented by the caller. MSAL offers benefit of token resiliency, refreshing the token much earlier than its expiry, but using the old token in case of Aad outage providing guaranteed downtime in case of AAD outage. Taken together, implementing all this at the level of caller is too much work, generating greater scope for error and might require frequent changes to this logic in case the lifetimes or properties on the token change.
Will caching, refresh and resiliency be supported in future versions of Azure.Idenitity so that Manged Identity can be used directly for service to service calls? Please let me know if such a functionality already exists and I am missing something
Issue Analytics
- State:
- Created 3 years ago
- Reactions:18
- Comments:18 (9 by maintainers)
Top GitHub Comments
Thank you Christopher for the information. As it is recommended that we use MSAL for service to service calls, and the added functionality it offers, we will use that at the moment. This was originally a feature request, I am suggesting a client in Azure Identity similar to MSAL so that we can get access tokens to call protected APIs. This will eliminate the need for credentials which need to be maintained in the case of MSAL and we can get token directly from managed identity endpoint The Azure storage blob client or Secret client are for accessing azure storage or Azure Key vault. I was requesting a client to make calls to protected APIs or or other Azure app services
I have looked into using BearerTokenAuthenticationPolicy for caching TokenCredential for our internal service-to-service calls using HttpClient, but I gave up because BearerTokenAuthenticationPolicy is too coupled with a lot of HttpPipeline stuff, which seemed too complicated to use. So we are currently using TokenCredential without caching it for now.