Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] How does token Caching work #23121

Closed
TheCreatorAMA opened this issue Jun 27, 2024 · 5 comments
Closed

[Question] How does token Caching work #23121

TheCreatorAMA opened this issue Jun 27, 2024 · 5 comments
Assignees
@chlowell
Labels
Azure.Identity customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@TheCreatorAMA
Copy link

TheCreatorAMA commented Jun 27, 2024
edited
Loading

I have dug around and was reading on how token caching works but I am still a bit confused and figured I would ask here in case anyone else would find this useful.

I have some code similar to the below:

oBOCreds, err := azidentity.NewOnBehalfOfCredentialWithSecret(tenantID, clientID, userAssertion, clientSecret, options)
if err != nil {
   return err
}

tokenOpts := policy.TokenRequestOptions{
   Scopes:   []string{"<scopes>"},
   TenantID: tenantID,
}

token, err := oBOCreds.GetToken(r.Context(), tokenOpts)
if err != nil {
   return err
}

This code gets called on every request but Im noticing that a new token is being generated each time. Im fairly positive im just not understanding something but as the user is there something I need to do to see if the client already has a token? Or does it happen automatically when credentials are made?
@github-actions github-actions bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jun 27, 2024
@timovv
Copy link
Member

timovv commented Jun 27, 2024

Hi @TheCreatorAMA, since your question is about the Go SDK I am transferring this issue to the Go repository.

@timovv timovv transferred this issue from Azure/azure-sdk-for-js Jun 27, 2024
@jhendrixMSFT jhendrixMSFT added Azure.Identity and removed needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. labels Jun 27, 2024
@github-actions github-actions bot added the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Jun 27, 2024
@chlowell
Copy link
Member

Thanks for opening this issue. All credentials that don't delegate to external tools cache tokens automatically, storing them in memory by default. These in-memory caches don't survive the credential instances that create them, so if your request handler calls NewOnBehalfOfCredential() for each incoming request, tokens it acquires while handling one request are unavailable while handling another. We do have a beta feature that enables caching tokens to disk, however OnBehalfOfCredential can't support that yet because its cache is uniquely unmarshallable (AzureAD/microsoft-authentication-library-for-go#455). I imagine you could cache OnBehalfOfCredential instances or token requests and responses, if that's feasible for your app, but I'm sorry to say that today we don't have a good solution in azidentity for your scenario.

@TheCreatorAMA
Copy link
Author

That explanation helps! So if I cache the credential instances, the background in-memory caching should fetch a new token if needed right? To make sure I'm understanding this correctly.

@chlowell
Copy link
Member

Yes. When your app calls GetToken(), a credential with a cache searches that and requests a new token only when the cache misses.

@TheCreatorAMA
Copy link
Author

Alright makes sense thanks for the explanation!

@github-actions github-actions bot locked and limited conversation to collaborators Sep 26, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@chlowell chlowell

Labels
Azure.Identity customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Azure Identity SDK Improvements
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@timovv @jhendrixMSFT @chlowell @TheCreatorAMA