Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Entra access token authentication policies such as BearerTokenAuthenticationPolicy should respect refresh_on information #22837

Open
christothes opened this issue May 3, 2024 · 9 comments
Open

Entra access token authentication policies such as BearerTokenAuthenticationPolicy should respect refresh_on information #22837

christothes opened this issue May 3, 2024 · 9 comments
Assignees
@chlowell
Labels
Azure.Core Azure.Identity Blocked Client This issue points to a problem in the data-plane of the library.
Milestone
Backlog

Comments

@christothes
Copy link
Member

Long lived credentials such as those received from managed identity authentication include additional metadata concerning when a token can/should be refreshed. Our authentication policies should take this information into account when refreshing access tokens.

This involves:

  • Modifying relevant authentication policies
  • Modifying the AccessToken type to include this optional information
  • Modifying Azure.Identity credential implementations to populate the refresh_on information in the AccessToken
@scottaddie scottaddie moved this from Untriaged to Not Started in Azure Identity SDK Improvements May 3, 2024
@scottaddie scottaddie added the Client This issue points to a problem in the data-plane of the library. label May 3, 2024
@joshfree joshfree added the blocking-release Blocks release label May 3, 2024
@joshfree joshfree added this to the 2024-06 milestone May 3, 2024
This was referenced May 3, 2024
Open
Open
@joshfree
Copy link
Member

joshfree commented May 3, 2024

Related

Azure/azure-sdk-for-java#40027

Azure/azure-sdk-for-python#35473

Azure/azure-sdk-for-js#29576

#22837

Azure/azure-sdk-for-cpp#5598

Azure/azure-sdk-for-rust#1657

This was referenced May 3, 2024
Closed
Closed
Closed
@chlowell
Copy link
Member

chlowell commented May 3, 2024

Blocked on AzureAD/microsoft-authentication-library-for-go#239

@chlowell chlowell moved this from Not Started to Blocked in Azure Identity SDK Improvements May 3, 2024
@chlowell
Copy link
Member

chlowell commented May 3, 2024
edited
Loading

🤔 on second thought I believe the only change we need from MSAL is to expose any refresh_in value provided by the STS. Everything else should be feasible in azidentity/azcore. And I can imagine a hacky way to get refresh_in without MSAL's help.

@chlowell chlowell removed the Blocked label May 3, 2024
@chlowell chlowell moved this from Blocked to Not Started in Azure Identity SDK Improvements May 3, 2024
@chlowell
Copy link
Member

chlowell commented May 8, 2024

On third thought, this is blocked because MSAL's token cache has a hardcoded expiration time preventing us from acquiring a new token when a cached one has at least 5 minutes left to expiry.

@chlowell chlowell moved this from Not Started to Blocked in Azure Identity SDK Improvements May 8, 2024
@chlowell chlowell removed the blocking-release Blocks release label May 17, 2024
@chlowell chlowell modified the milestones: 2024-06, Backlog May 17, 2024
@andyzhangx
Copy link

is anyone working on this bug? that's a critical blocking bug preventing us to use track2. Recently we AKS team found that after migrating to track2 sdk, the managed identity token would expire after 24 hours which is not easy to be caught in e2e test, we have to revert to version using sdk track1, pls fix this issue ASAP, otherwise this track2 sdk is unusable for us, thanks!

@andyzhangx
Copy link

here is an example fix in forked branch: hashicorp/go-azure-sdk#362

@chlowell
Copy link
Member

chlowell commented Jun 7, 2024
edited
Loading

Can you please explain how the lack of this feature makes track 2 unusable? What breaks when your application gets a token valid for 24 hours? And how does track 1 help? It doesn't observe refresh_on either.

@andyzhangx
Copy link

Can you please explain how the lack of this feature makes track 2 unusable? What breaks when your application gets a token valid for 24 hours?

@chlowell pls refer to https://github.com/Azure/karpenter-poc/issues/554, we need to adjust the token refresh logic, compared with track1 sdk, we hit lots of ExpiredAuthenticationToken error on AKS using track2 sdk, finally we resolved this issue by reverting to version using track1 sdk.

@chlowell
Copy link
Member

chlowell commented Jun 7, 2024

I think I'm getting the gist of this:

  • azidentity uses a 5-minute refresh window for tokens i.e., it refreshes cached tokens when their expiration is less than 5 minutes in the future
    • the track 1 auth package (adal) does this as well, so I guess it has an API for overriding this behavior?
  • clock skew in your system grows over time
  • mistaken judgments of token expiration time therefore become more likely as token lifetime grows

I feel like I'm still missing something here because the example in your linked issue seems to suggest your application can determine whether a token has expired, implying the Azure SDK could as well. But my understanding may not be important because we do intend to implement this feature and it's blocked on AzureAD/microsoft-authentication-library-for-go#239. MSAL for Go caches tokens for azidentity and has a hardcoded, internal 5-minute refresh window.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chlowell chlowell

Labels
Azure.Core Azure.Identity Blocked Client This issue points to a problem in the data-plane of the library.
Projects
Azure Identity SDK Improvements
Status: Blocked
Milestone
Backlog
Development

No branches or pull requests
5 participants
@christothes @joshfree @andyzhangx @scottaddie @chlowell