search

AzureAD / microsoft-authentication-library-for-java

Microsoft Authentication Library (MSAL) for Java http://aka.ms/aadv2
MIT License
284 stars 142 forks source link

Ensure, refreshOn is computed to half the token lifetime for Managed Identity Tokens #848

Open g2vinay opened 1 month ago

g2vinay commented 1 month ago

Summary:

Implement logic to compute and return the refreshOn value as half the token lifetime for long-lived Managed Identity tokens (those with a token expiry of >2 hours). This adjustment will align with Azure Identity standards and prevent intermittent token refresh failures for our Enterprise customers, such as Cosmos.

Background:

The current implementation does not account for the unique requirements of long-lived Managed Identity tokens, which have a token expiry of more than 2 hours. As a result, our Enterprise customers have occasionally experienced intermittent token refresh failures. This proposed change aims to mitigate such issues by ensuring a more predictable and consistent token refresh process.

Details:

Compute refreshOn Value:

For Managed Identity tokens with a token expiry of more than 2 hours, calculate the refreshOn value as half the token's lifetime. For example, if a token has a 4-hour lifetime, the refreshOn value should be set to 2 hours. This approach ensures that the token is refreshed well before it expires, providing a buffer period to handle any potential refresh issues.

Consistency with Azure Identity:

This adjustment aligns our token refresh strategy with Azure Identity standards, promoting consistency across our services and improving overall reliability.

Enterprise Customer Impact:

By implementing this change, we can enhance the experience for our Enterprise customers, such as Cosmos, by reducing the likelihood of token refresh failures and ensuring seamless operations. Implementation Plan:

Code Modification:

Identify the section of the codebase responsible for calculating the refreshOn value for Managed Identity tokens. Introduce logic to check the token expiry duration. If the duration is more than 2 hours , calculate refreshOn as half of the token lifetime. If, refresh In is coming back as part of response, honor it.

Testing:

Develop unit tests to validate the new refreshOn calculation logic. Conduct integration testing to ensure that the feature works correctly in various scenarios, including different token lifetimes and renewal intervals.

Documentation:

Update internal documentation to reflect the new logic for calculating the refreshOn value.

Conclusion:

Adjusting the refreshOn calculation for long-lived Managed Identity tokens will significantly enhance the reliability and consistency of our token refresh process. This change will align our practices with Azure Identity standards and provide a better experience for our Enterprise customers, such as Cosmos, by minimizing the risk of intermittent token refresh failures.

bgavrilMS commented 1 month ago

Agreed, this is a consistency item with other MSALs.

rayluo commented 1 month ago

Ensure, refreshOn is computed to half the token lifetime for Managed Identity Tokens

Agreed, this is a consistency item with other MSALs.

FYI: MSAL Python already computed the long-lived token's refresh_in since the initial Managed Identity implementation which was shipped in MSAL Python 1.29.0, and then exposed the refresh_on in 1.30.0 shipped last month.