Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Entra access token authentication policies such as BearerTokenAuthenticationPolicy should respect refresh_on information #22837

Open
christothes opened this issue May 3, 2024 · 4 comments
Open

Entra access token authentication policies such as BearerTokenAuthenticationPolicy should respect refresh_on information #22837

christothes opened this issue May 3, 2024 · 4 comments
Assignees
@chlowell
Labels
Azure.Core Azure.Identity Blocked Client This issue points to a problem in the data-plane of the library.
Milestone
Backlog

Comments

@christothes
Copy link
Member

Long lived credentials such as those received from managed identity authentication include additional metadata concerning when a token can/should be refreshed. Our authentication policies should take this information into account when refreshing access tokens.

This involves:

  • Modifying relevant authentication policies
  • Modifying the AccessToken type to include this optional information
  • Modifying Azure.Identity credential implementations to populate the refresh_on information in the AccessToken
@scottaddie scottaddie added the Client This issue points to a problem in the data-plane of the library. label May 3, 2024
@joshfree joshfree added the blocking-release Blocks release label May 3, 2024
@joshfree joshfree added this to the 2024-06 milestone May 3, 2024
This was referenced May 3, 2024
Open
Open
@joshfree
Copy link
Member

joshfree commented May 3, 2024

Related

Azure/azure-sdk-for-java#40027

Azure/azure-sdk-for-python#35473

Azure/azure-sdk-for-js#29576

#22837

Azure/azure-sdk-for-cpp#5598

Azure/azure-sdk-for-rust#1657

This was referenced May 3, 2024
Open
Open
Open
@chlowell
Copy link
Contributor

chlowell commented May 3, 2024

Blocked on AzureAD/microsoft-authentication-library-for-go#239

@chlowell
Copy link
Contributor

chlowell commented May 3, 2024
edited

🤔 on second thought I believe the only change we need from MSAL is to expose any refresh_in value provided by the STS. Everything else should be feasible in azidentity/azcore. And I can imagine a hacky way to get refresh_in without MSAL's help.

@chlowell chlowell removed the Blocked label May 3, 2024
@chlowell
Copy link
Contributor

chlowell commented May 8, 2024

On third thought, this is blocked because MSAL's token cache has a hardcoded expiration time preventing us from acquiring a new token when a cached one has at least 5 minutes left to expiry.

@chlowell chlowell removed the blocking-release Blocks release label May 17, 2024
@chlowell chlowell modified the milestones: 2024-06, Backlog May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chlowell chlowell

Labels
Azure.Core Azure.Identity Blocked Client This issue points to a problem in the data-plane of the library.
Projects
Azure Identity SDK Improvements
Status: Blocked
Milestone
Backlog
Development

No branches or pull requests
4 participants
@christothes @joshfree @scottaddie @chlowell