Open christothes opened 6 months ago
🤔 on second thought I believe the only change we need from MSAL is to expose any refresh_in
value provided by the STS. Everything else should be feasible in azidentity/azcore. And I can imagine a hacky way to get refresh_in
without MSAL's help.
On third thought, this is blocked because MSAL's token cache has a hardcoded expiration time preventing us from acquiring a new token when a cached one has at least 5 minutes left to expiry.
is anyone working on this bug? that's a critical blocking bug preventing us to use track2. Recently we AKS team found that after migrating to track2 sdk, the managed identity token would expire after 24 hours which is not easy to be caught in e2e test, we have to revert to version using sdk track1, pls fix this issue ASAP, otherwise this track2 sdk is unusable for us, thanks!
here is an example fix in forked branch: https://github.com/hashicorp/go-azure-sdk/pull/362
Can you please explain how the lack of this feature makes track 2 unusable? What breaks when your application gets a token valid for 24 hours? And how does track 1 help? It doesn't observe refresh_on
either.
Can you please explain how the lack of this feature makes track 2 unusable? What breaks when your application gets a token valid for 24 hours?
@chlowell pls refer to https://github.com/Azure/karpenter-poc/issues/554, we need to adjust the token refresh logic, compared with track1 sdk, we hit lots of ExpiredAuthenticationToken error on AKS using track2 sdk, finally we resolved this issue by reverting to version using track1 sdk.
I think I'm getting the gist of this:
azidentity
uses a 5-minute refresh window for tokens i.e., it refreshes cached tokens when their expiration is less than 5 minutes in the future
adal
) does this as well, so I guess it has an API for overriding this behavior?I feel like I'm still missing something here because the example in your linked issue seems to suggest your application can determine whether a token has expired, implying the Azure SDK could as well. But my understanding may not be important because we do intend to implement this feature and it's blocked on https://github.com/AzureAD/microsoft-authentication-library-for-go/issues/239. MSAL for Go caches tokens for azidentity
and has a hardcoded, internal 5-minute refresh window.
Long lived credentials such as those received from managed identity authentication include additional metadata concerning when a token can/should be refreshed. Our authentication policies should take this information into account when refreshing access tokens.
This involves:
AccessToken
type to include this optional informationAccessToken