Persist token cache in encrypted format to file in linux container image

[shoaibbajwa24]

We have a scenario where I have a c# code which runs in a container. It uses MSAL AcquireTokenWithDeviceCode to get user access token to pass on to a backend api. The container runs does a task and exits. The user could run the container multiple times. The issue is that since its in a container, MSAL token cache is lost during different runs and its a pain to keep asking users to login everytime. The container image exists for both linux and windows.

I know we can persist the cache in to a file which i have tested but we want to keep it encrypted. From my understanding MSAL uses libsecret in linux for encryption. Our container base image we are using does not have libsecret and its pain to get it to work for headless environment.

Also saw this https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3033

What is MSAL recommendation on this?

[rayluo]

From my understanding MSAL uses libsecret in linux for encryption. Our container base image we are using does not have libsecret and its pain to get it to work for headless environment.

What is MSAL recommendation on this?

For what it's worth, at one point we build a docker image with libsecret (among others), but we mainly use it for testing purpose.

[bgavrilMS]

@shoaibbajwa24 - Device Code Flow is problematic because it doesn't really go through the browser on the same machine. So we cannot enforce security requirements with it. It is slowing being deprecated.

Identity doesn't have a good answer to this scenario - auth in headless scenarios.