Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Feature Request] ECR: MSAL support for dynamic certificates
See original GitHub issueUsually, this is how an MSAL application is built using a certificate or a Client Assertion.
var application = ConfidentialClientApplicationBuilder
.Create(clientId: applicationId)
.WithCertificate(certificate) // OR use .WithClientAssertion(clientAssertionDelegate)
.WithAuthority(firstPartyAuthority)
.Build();
Now, this works great when we’re dealing with static certificates.
However, most Microsoft Services are now using ECR (Emergency Certificate Rotation) wherein, the certificates are renewed dynamically and the running applications are expected to reload their certificate stores and certificate caches at runtime. This removes the need for new application deployments just for updating certificates.
However, if the certificates can keep changing dynamically, we must retrieve the latest cert every single time and rebuild the Confidential application before making a request. To ameliorate this, we’re using custom caching strategies where we cache the tokens till the expiration period.
Potential Solution
Expose a delegate whose responsibility is to return the latest certificate. MSAL application would store the Cert expiration time internally. If the Cert is about to expire, MSAL will seamlessly invoke the delegate to fetch the latest Cert again.
.WithCertificate(Func<X509Certficate2> certDelegate)
It will be the consumer’s responsibility to implement the delegate and return the latest Certificate from either Certificate store or certificate cache. This code will be a “hot path”. The consumer has to implement this in the least expensive manner. Else, it will be a bottleneck.
Func<X509Certificate2> certDelegate = () =>
{
var certificate = // retrieve the latest certificate. Consumer must ensure good perf.
return certificate;
};
NOTE: I also tested with .WithClientAssertion(clientAssertionDelegate) which uses a delegate. But, it looks like MSAL doesn’t invoke this delegate again to fetch the latest client assertion once the cert expires. Can an engineer from MSAL confirm the exact behavior?
Token Cache
The token cache will be valid until the Cert is valid. Once the cert expires, use the delegate to fetch the latest cert and invalidate the stale cache. Eg: NotAfter property of the certificate.
Issue Analytics
- State:
- Created 2 years ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@hkuadithya : apart from AcquireTokenForClient, we do recommend that you create a IConfidentialClientApplication for each request, and enable to token cache serializer. This is quick to create and has a small footprint. What’s your concern about instantiating a new confidential client application?
@hkuadithya : can you share links where you’d want to see this info from?