Azure / azure-sdk-for-go

This repository is for active development of the Azure SDK for Go. For consumers of the SDK we recommend visiting our public developer docs at:
https://docs.microsoft.com/azure/developer/go/
MIT License
1.64k stars 843 forks source link

Entra access token authentication policies such as `BearerTokenAuthenticationPolicy` should respect `refresh_on` information #22837

Open christothes opened 6 months ago

christothes commented 6 months ago

Long lived credentials such as those received from managed identity authentication include additional metadata concerning when a token can/should be refreshed. Our authentication policies should take this information into account when refreshing access tokens.

This involves:

joshfree commented 6 months ago

Related

https://github.com/Azure/azure-sdk-for-java/issues/40027

https://github.com/Azure/azure-sdk-for-python/issues/35473

https://github.com/Azure/azure-sdk-for-js/issues/29576

https://github.com/Azure/azure-sdk-for-go/issues/22837

https://github.com/Azure/azure-sdk-for-cpp/issues/5598

https://github.com/Azure/azure-sdk-for-rust/issues/1657

chlowell commented 6 months ago

Blocked on https://github.com/AzureAD/microsoft-authentication-library-for-go/issues/239

chlowell commented 6 months ago

🤔 on second thought I believe the only change we need from MSAL is to expose any refresh_in value provided by the STS. Everything else should be feasible in azidentity/azcore. And I can imagine a hacky way to get refresh_in without MSAL's help.

chlowell commented 6 months ago

On third thought, this is blocked because MSAL's token cache has a hardcoded expiration time preventing us from acquiring a new token when a cached one has at least 5 minutes left to expiry.

andyzhangx commented 5 months ago

is anyone working on this bug? that's a critical blocking bug preventing us to use track2. Recently we AKS team found that after migrating to track2 sdk, the managed identity token would expire after 24 hours which is not easy to be caught in e2e test, we have to revert to version using sdk track1, pls fix this issue ASAP, otherwise this track2 sdk is unusable for us, thanks!

andyzhangx commented 5 months ago

here is an example fix in forked branch: https://github.com/hashicorp/go-azure-sdk/pull/362

chlowell commented 5 months ago

Can you please explain how the lack of this feature makes track 2 unusable? What breaks when your application gets a token valid for 24 hours? And how does track 1 help? It doesn't observe refresh_on either.

andyzhangx commented 5 months ago

Can you please explain how the lack of this feature makes track 2 unusable? What breaks when your application gets a token valid for 24 hours?

@chlowell pls refer to https://github.com/Azure/karpenter-poc/issues/554, we need to adjust the token refresh logic, compared with track1 sdk, we hit lots of ExpiredAuthenticationToken error on AKS using track2 sdk, finally we resolved this issue by reverting to version using track1 sdk.

chlowell commented 5 months ago

I think I'm getting the gist of this:

I feel like I'm still missing something here because the example in your linked issue seems to suggest your application can determine whether a token has expired, implying the Azure SDK could as well. But my understanding may not be important because we do intend to implement this feature and it's blocked on https://github.com/AzureAD/microsoft-authentication-library-for-go/issues/239. MSAL for Go caches tokens for azidentity and has a hardcoded, internal 5-minute refresh window.