I knew that the service credentials would be scoped to tenant IDs, but I did not realize that the service.Clients and UserDelegationCredentials would also be tenant-scoped. This was causing problems where the credentials of whatever tenant was first seen would be used to sign allSignGet URLs, resulting in signature mismatch errors when the blob was owned by a different tenant.
This updates the cache logic to keep track of both the service clients and the user delegation credentials by tenant ID, which should solve the problem.
I knew that the service credentials would be scoped to tenant IDs, but I did not realize that the
service.Clients andUserDelegationCredentials would also be tenant-scoped. This was causing problems where the credentials of whatever tenant was first seen would be used to sign allSignGetURLs, resulting in signature mismatch errors when the blob was owned by a different tenant.This updates the cache logic to keep track of both the service clients and the user delegation credentials by tenant ID, which should solve the problem.
This change is