Ensure, refreshOn is computed to half the token lifetime for Managed Identity Tokens #848
Labels
AzureSDK
Issues and requests affecting the Azure SDK
confidential-client
For issues related to confidential client apps
Feature Request
Request for new functionality
Comments
Avery-Dunn
added
the
confidential-client
bgavrilMS
added
Feature Request
|
Agreed, this is a consistency item with other MSALs. |
FYI: MSAL Python already computed the long-lived token's |
Avery-Dunn
moved this from In progress
to Done (in PR or next release)
in MSAL Java Customer Trust
|
Forgot to update this at the time, but this was taken care of as part of the 1.17.1 release in late September: https://github.com/AzureAD/microsoft-authentication-library-for-java/releases/tag/v1.17.1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary:
Implement logic to compute and return the refreshOn value as half the token lifetime for long-lived Managed Identity tokens (those with a token expiry of >2 hours). This adjustment will align with Azure Identity standards and prevent intermittent token refresh failures for our Enterprise customers, such as Cosmos.
Background:
The current implementation does not account for the unique requirements of long-lived Managed Identity tokens, which have a token expiry of more than 2 hours. As a result, our Enterprise customers have occasionally experienced intermittent token refresh failures. This proposed change aims to mitigate such issues by ensuring a more predictable and consistent token refresh process.
Details:
Compute refreshOn Value:
For Managed Identity tokens with a token expiry of more than 2 hours, calculate the refreshOn value as half the token's lifetime. For example, if a token has a 4-hour lifetime, the refreshOn value should be set to 2 hours.
This approach ensures that the token is refreshed well before it expires, providing a buffer period to handle any potential refresh issues.
Consistency with Azure Identity:
This adjustment aligns our token refresh strategy with Azure Identity standards, promoting consistency across our services and improving overall reliability.
Enterprise Customer Impact:
By implementing this change, we can enhance the experience for our Enterprise customers, such as Cosmos, by reducing the likelihood of token refresh failures and ensuring seamless operations.
Implementation Plan:
Code Modification:
Identify the section of the codebase responsible for calculating the refreshOn value for Managed Identity tokens.
Introduce logic to check the token expiry duration. If the duration is more than 2 hours , calculate refreshOn as half of the token lifetime.
If, refresh In is coming back as part of response, honor it.
Testing:
Develop unit tests to validate the new refreshOn calculation logic.
Conduct integration testing to ensure that the feature works correctly in various scenarios, including different token lifetimes and renewal intervals.
Documentation:
Update internal documentation to reflect the new logic for calculating the refreshOn value.
Conclusion:
Adjusting the refreshOn calculation for long-lived Managed Identity tokens will significantly enhance the reliability and consistency of our token refresh process. This change will align our practices with Azure Identity standards and provide a better experience for our Enterprise customers, such as Cosmos, by minimizing the risk of intermittent token refresh failures.
The text was updated successfully, but these errors were encountered: