[FEATURE REQ] Make it so the KeyVaultCredentialPolicy makes a call to obtain an authentication challenge only in the case there is no access token in the cache or it has expired

[vcolin7]

Is your feature request related to a problem? Please describe.
When authenticating calls for KeyVault Keys, the Java KeyVaultCredentialPolicy class always makes a naive call to obtain a challenge that could be used to get an access token in case there is none in the cache or the one it has is expired.

Describe the solution you'd like
The KeyVaultCredentialPolicy only makes a call for a challenge AFTER making sure there is no token in the cache or if it has expired.

Describe alternatives you've considered
Caching the challenge like the .NET SDK does and using that instead in case there is no token or it has expired.

Information Checklist

• Description Added
• Expected solution specified

[heaths]

That's the old policy. Take a look at https://github.com/Azure/azure-sdk-for-net/blob/f4cbb5c5659b949de1d3cb9d82e02220003848d2/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs. It's actually a little older as well and was refactored into Azure.Core for reuse with Attestation, so I think this older version is a bit more succinct. It still works the same, but if you look at the HEAD copy in main now it's base class lives in sdk/core/Azure.Core.

This is client-bound, so the same client will have a policy that will cache access tokens and refresh as needed. It's still thread-safe, but not shared across clients. There was discussion about doing so, though. Something to consider.

Still, since - at least for .NET - we recommend treating Key Vault clients - for the same endpoint - as singletons, it works out.