[Feature Request] Add Opt in Probing logic to IMDS MI flow in Managed Identity Client

g2vinay commented 5 months ago

MSAL client type

Managed identity

Problem Statement

Scenario 1: Expose API to enable IMDS Probe

Currently, Msal doesn't offer opt in support to probe the IMDS endpoint before making a request to it. an API needs to be exposed on MI client builder enableImdsProbe or enableImdsProbing

With this property Enabled, a probe request with below config needs to be sent out:

GET
Endpoint: http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01

Apply Connection timeout of 1000ms to this request. (Optional)

You can find implementation here for reference: https://github.com/Azure/azure-sdk-for-java/blob/74af94e2b1b325aebc85ad7b2c5cd3808373fd8f/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java#L1185

If probing is successful then go ahead to fetch the token, else throw an exception to the caller and fail early.

Benefit is, it offers fail fast support that helps to optimizes performance of DefaultAzureCredential in Azure Identity.

Scenario 2: Expose API: Is Managed Identity Available

Expose an API IsManagedIdentityAvailable on MI client which returns true / false.

If an env config leads to a non IMDS managed identity source then it returns true. If env config leads to IMDS managed identity soruce, then it sends the probe request without any timeout and if that's successful then it returns true.

Probe request details same as scenario 1.

Whichever API works best for msal team, can be picked here.

Proposed solution

No response

Alternatives

No response

bgavrilMS commented 5 months ago

@g2vinay - I think this should be added to all MSI implementations (all MSALs), no?

I'm confused about is the extra public API - why does this need to be exposed? Can't we just enable it by default?

bgavrilMS commented 5 months ago

CC @gladjohn @neha-bhargava

Avery-Dunn commented 5 months ago

@g2vinay : Do either of the enableImdsProbe or enableImdsProbing wording for the API come from a design doc or an API already in use?

And like @bgavrilMS said this could be default behavior, so is there some scenario where a developer would want to turn off this IMDS probe? I suppose if this check happens during every token call then even a 1 second timeout could start to add up

bgavrilMS commented 5 months ago

@g2vinay : Do either of the enableImdsProbe or enableImdsProbing wording for the API come from a design doc or an API already in use?

And like @bgavrilMS said this could be default behavior, so is there some scenario where a developer would want to turn off this IMDS probe? I suppose if this check happens during every token call then even a 1 second timeout could start to add up

Hmm, I think the check should happen only once per process (i.e. static bool cache). The call to this endpoint is just to ensure that we are really on IMDS, it has no other functional value.

neha-bhargava commented 5 months ago

@g2vinay I am assuming that the probing happens only when environment variables are not found and IMDS is used as a default source. In this case we can probe and cache the result as @bgavrilMS mentioned. If the response is received once, MSAL will by default use the IMDS endpoint. If a response is not received, MSAL will throw the exception.

Do you know how often users are in a situation where IMDS is not available?

Avery-Dunn commented 5 months ago

After some discussions a different design was agreed on: https://github.com/AzureAD/microsoft-authentication-library-for-java/issues/815

Closing this issue in favor of that newer one, which has also been opened in the other MSALs

AzureAD / microsoft-authentication-library-for-java