search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.23k stars 3.83k forks source link

Get-AzAccessToken -ResourceTypeName MSGraph caching #18191

Closed mabster closed 2 years ago

mabster commented 2 years ago

Description

We are running PowerShell Universal in an Azure App Service, and that app service has its own system managed identity. When the app launches, it calls Connect-AzAccount -Id -Scope CurrentUser to connect to Azure as itself with a persistent connection.

I have added several Graph permission to the identity, and when I call Get-AzAccessToken -ResourceTypeName MSGraph from a PSU script, the token contains those permissions. Great!

Now I discover a new permission that I need. So I add it to the system managed identity.

When I call Get-AzAccessToken -ResourceTypeName MSGraph again, the original access token, with the same "iat" (issued at) attribute and the same "roles" (Graph permissions) is returned.

It seems that Get-AzAccessToken is caching the last-generated token. Restarting the app service doesn't even fix it. The only way I was able to make it get a new token was to shut everything down over a whole weekend, so none of the scheduled scripts had a chance to request a token (which I think is keeping the existing token current with a refresh token).

How do I clear the token cache so that Get-AzAccessToken returns a new Graph access token with my newly-added permission(s)? I don't want to have to forcibly shut down the app for several days every time I modify its permissions.

Script or Debug output

No response

Environment data

Name                           Value 
 ----                           ----- 
 PSVersion                      7.1.5 
 PSEdition                      Core 
 GitCommitId                    7.1.5 
 OS                             Microsoft Windows 10.0.14393 
 Platform                       Win32NT 
 PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…} 
 PSRemotingProtocolVersion      2.3 
 SerializationVersion           1.1.0.1 
 WSManStackVersion              3.0

Module versions

Directory: D:\Program Files (x86)\Microsoft  
 SDKs\Azure\PowerShell\ServiceManagement 
 ModuleType Version    PreRelease Name                                PSEdition 
 ---------- -------    ---------- ----                                --------- 
 Manifest   1.4.0                 Azure                               Desk      
     Directory: D:\Program Files (x86)\Microsoft SDKs\Azure\PowerShell\Storage 
 ModuleType Version    PreRelease Name                                PSEdition 
 ---------- -------    ---------- ----                                --------- 
 Manifest   1.1.2                 Azure.Storage                       Desk      
     Directory: D:\home\data\PowershellUniversal\Repository\Modules 
 ModuleType Version    PreRelease Name                                PSEdition 
 ---------- -------    ---------- ----                                --------- 
 Script     2.7.4                 Az.Accounts                         Core,Desk 
 Script     4.3.0                 Az.KeyVault                         Core,Desk

Error output

No response

dingmeng-xue commented 2 years ago

@mabster , it is by design. Azure PowerShell relies on MSAL to do authentication. It has cache mechanism and returns new access token only when it close to expiration. Please Disconnect-AzAccount and Connect-AzAccount again.

mabster commented 2 years ago

I've tried disconnecting and reconnecting many times. The token remains the same every time. Even restarting the app service doesn't work. That's why I logged this issue. Sorry if that wasn't clear.

mabster commented 2 years ago

As an example: I just called Disconnect-AzAccount (and then Clear-AzContext -Force just in case) and then reconnected with Connect-AzAccount -Id -Scope CurrentUser, then fetched a Graph token. Here's what the token looks like:

image

It's currently 8:35am on the 18th of May here, and that token was issued at 8:44am on the 17th.

It does not contain the Graph permissions I added late yesterday morning (after the iat time).

I just need a "fresh" token with the newly-added permissions, but I have no idea how to get one!

mabster commented 2 years ago

... and now, having done exactly the same thing at 8:46am, I got a token with the permissions I added yesterday.

So it seems that once the token expires, as long as you don't do anything within a few minutes of it expiring (which would presumably refresh it and extend its lifetime) you get a new token with updated permissions. But I can't go 24 hours without requesting an access token every time I need to modify permissions. :(

mabster commented 2 years ago

Gah and now I realise I need another permission added, so I have to wait another 24 hours before I can test with it because the token I get from Get-AzAccessToken now is still the one that I was issued at 8:42 this morning and won't expire until tomorrow. Even after Disconnect-AzAccount.

dingmeng-xue commented 2 years ago

@mabster , Disconnect-AzAccount doesn't delete token cache. Hope your issue was resolved. Closing this issue now. Let us know if you need further help.

mabster commented 1 year ago

Reopening this to see if I can get an actual answer or resolution.

How do I clear the underlying MSAL token cache so that Get-AzAccessToken is guaranteed to get me a fresh token with the scopes I've just added to my Graph identity? Can we get a -Force parameter or something?

mabster commented 1 year ago

Oh, does leaving a comment not reopen the issue? Can we reopen it? Pretty please?

dingmeng-xue commented 1 year ago

Get-AzAccessToken employs MSAL to do AuthN and manage token. The token cache is obligatory. MSAL doesn't expose API to allow client to get a totally fresh token.