From 44b808517e54268593c3bb82fa5ba0fb6cc3b81d Mon Sep 17 00:00:00 2001 From: Yeming Liu <11371776+isra-fel@users.noreply.github.com> Date: Thu, 1 Dec 2022 14:32:41 +0800 Subject: [PATCH] disable token cache for service principal (#20336) Co-authored-by: NanxiangLiu <33285578+Nickcandy@users.noreply.github.com> Co-authored-by: Jin Lei <54836179+msJinLei@users.noreply.github.com> --- src/Accounts/Accounts/ChangeLog.md | 4 +--- .../Authenticators/ServicePrincipalAuthenticator.cs | 8 +++++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md index fff78493885e..cd31f2f24037 100644 --- a/src/Accounts/Accounts/ChangeLog.md +++ b/src/Accounts/Accounts/ChangeLog.md @@ -19,9 +19,7 @@ --> ## Upcoming Release -* Enabled caching tokens when logging in with a service principal or client assertion. [#20013] - - This could reduce extra network traffic and improve performance. - - It also fixed the incorrectly short lifespan of tokens. +* Enabled caching tokens when logging in with a client assertion. This fixed the incorrectly short lifespan of tokens. * Upgraded target framework of Microsoft.Identity.Client to net461 [#20189] * Stored `ServicePrincipalSecret` and `CertificatePassword` into `AzKeyStore`. * Updated the reference of Azure PowerShell Common to 1.3.65-preview. diff --git a/src/Accounts/Authenticators/ServicePrincipalAuthenticator.cs b/src/Accounts/Authenticators/ServicePrincipalAuthenticator.cs index 19251922ba64..c50575ef1097 100644 --- a/src/Accounts/Authenticators/ServicePrincipalAuthenticator.cs +++ b/src/Accounts/Authenticators/ServicePrincipalAuthenticator.cs @@ -43,12 +43,14 @@ public override Task Authenticate(AuthenticationParameters paramet var authority = spParameters.Environment.ActiveDirectoryAuthority; var requestContext = new TokenRequestContext(scopes); - var tokenCachePersistenceOptions = spParameters.TokenCacheProvider.GetTokenCachePersistenceOptions(); + // var tokenCachePersistenceOptions = spParameters.TokenCacheProvider.GetTokenCachePersistenceOptions(); AzureSession.Instance.TryGetComponent(nameof(AzureCredentialFactory), out AzureCredentialFactory azureCredentialFactory); var options = new ClientCertificateCredentialOptions() { - TokenCachePersistenceOptions = tokenCachePersistenceOptions, // allows MSAL to cache access tokens + // commented due to https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3218 + // todo: investigate splitting user token cache and app token cache + // TokenCachePersistenceOptions = tokenCachePersistenceOptions, // allows MSAL to cache access tokens AuthorityHost = new Uri(authority), SendCertificateChain = spParameters.SendCertificateChain ?? default(bool) }; @@ -67,7 +69,7 @@ public override Task Authenticate(AuthenticationParameters paramet //Service principal with secret var csOptions = new ClientSecretCredentialOptions() { - TokenCachePersistenceOptions = tokenCachePersistenceOptions, // allows MSAL to cache access tokens + // TokenCachePersistenceOptions = tokenCachePersistenceOptions, // allows MSAL to cache access tokens AuthorityHost = new Uri(authority) }; tokenCredential = azureCredentialFactory.CreateClientSecretCredential(tenantId, spParameters.ApplicationId, spParameters.Secret, csOptions);