Support token cache persistence in client assertion workflow

[ahsonkhan]

Description of Ask: To have ClientAssertionCredentialOptions implement ISupportsTokenCachePersistenceOptions. As a consumer of Identity, Azure PowerShell is dependent on the Azure Identity library for .NET. Now the client assertion workflow has increasing usage, so the ask should have higher priority.

Business Impact: In the client assertion auth flow, Azure PowerShell customers acquire the access token with the federated token. The access token must be used by the subsequent Azure PowerShell cmdlets. We depend on Azure.Identity to save the tokens to the MSAL cache. As the federated token has a short lifetime, it's impossible to cache the federated token and reauthenticate every time a cmdlet is run.

.NET reference implementation - https://github.com/Azure/azure-sdk-for-net/pull/43633

Moved from https://github.com/Azure/azure-sdk-for-cpp-pr/issues/26

cc @scottaddie

[ahsonkhan]

After discussion, this feature requires support from MSAL to enable. This is because MSAL handles the following important aspects: 1) Encrypting the cache file on disk using data protection APIs (and picking a consistent location) 2) Store the cache in a file format and structure that is consistent across languages (.NET/Java/Python)

From @RickWinter:

MSAL is the correct place for persistent token cache to reside. We can implement this feature once we have that support in MSAL.

We'd want to wait and see if there's customer asks for this, in C++, to help prioritize.

Open question:

• Does MSAL handle name conflicts?

Other notes:

• This is originally an Azure Powershell ask - shipped in .NET, other languages are shipping for October - enabled via MSAL, entirely.
• Persist the cache to disk (memory is default) - advanced option in .NET is unsafe token cache persistence options (extension allows you to participate in cache hydration and refresh, via callback)
• Typical use case is to hydrate the cache, and rehydrate it without prompting the user for credentials (Powershell doesn’t want to prompt users again, if the token hasn’t expired), for command line tools that don’t have a persistent memory. For example, every time you run the az cli, it executes the exe once and it exits.
• The file format is opaque to the Identity SDK/users, and managed by MSAL - essentially a JSON map, the map key is the concatenation of the object id/tenant id/client id of the user, and the cache contains the account records, cached tokens, and refresh tokens.