Authentication provider for 'Active Directory Interactive' should maintain access token cache globally

[Rookian]

Is your feature request related to a problem? Please describe.

For now we have used Azure CLI and Azure.Identity to use AAD authentication when working locally. We used 'az login' and we could then start and restart several of our services without logging in again and again. With this solution we have had to gain an access token for a SqlConnection manually.

With the new Authentication provider 'Active Directory Interactive' we don't need to take care of access token handling anymore. Unfortunately we now have to login every time we start a service. So it seems like that the access token is cached within the current application instance. We can't use 'Active Directory Integrated', because of MFA.

Describe the solution you'd like

It would be nice when 'Active Directory Interactive' would work like Azure CLI (az login) where we just have to login once for a while.

e.g. When I run 2 or more applications at once or I restart my application(s), I only want to login once.

[cheenamalhotra]

Hi @Rookian

This has been considered with issue #616 where we will bring in direct support of Azure.Identity and a new option would be provided to fetch "DefaultAzureCredential" from client environment.

In the mean time, you can follow this approach: https://github.com/dotnet/SqlClient/pull/730#issuecomment-705307179 with latest Microsoft.Data.SqlClient driver.

Since we're tracking this change with #616, is there anything else you'd need help with?

[Basssiiie]

Hello @Rookian , did this global cache fix for 'Active Directory Interactive' work for you? For me it does not seem to be cached and I have to login every time I start the application like you originally described.

Currently 'Active Directory Default' is not feasible for me either, as it does not include the interactive mode enabled as last fallback.

Thank you for your time. 🙂

[David-Engel]

@Basssiiie The built-in "cache" for Active Directory Interactive is only in the scope of the process. So if you restart your application, the driver's cache is gone. There is another feature request to provide an API that will allow applications to define their own cache that can persist across processes. #1895

[Basssiiie]

@David-Engel Thank you for your reply. Would it be possible to configure a global cache with #1895 purely through the connection string or do we need custom code in the application for that as well?

My use case is that I would like an easy to use connection string that uses their AD account (so we can disable SQL accounts) and that would work for all our developers, regardless of whether they use VS, VSCode, Rider or another tool. We also have a microservice project, and currently the AD Interactive gets triggered for every microservice the developer starts every startup. 🙂

[David-Engel]

@Basssiiie You would need custom code. But it sounds like Active Directory Default would be the closest thing to what you are asking for. It uses Azure.Identity's DefaultAzureCredential under the covers, which traverses a chain of credentials, trying various known, cached credentials (excluding Interactive as MDS disables that to avoid UI issues in headless apps): https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet

[Basssiiie]

@David-Engel Yeah Azure Directory Default would work best at the moment, though it is too bad the interactive mode cannot be toggled/enabled as a fallback here if all other options fail.