Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Keyvault JCA gets access token remotely every time it visits key vault. #23473

Closed
michaelqi793 opened this issue Aug 11, 2021 · 3 comments · Fixed by #23847
Closed

Azure Keyvault JCA gets access token remotely every time it visits key vault. #23473

michaelqi793 opened this issue Aug 11, 2021 · 3 comments · Fixed by #23847
Assignees
@michaelqi793
Labels
azure-spring All azure-spring related issues bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. KeyVault Security
Milestone
[2021] October

Comments

@michaelqi793
Copy link
Contributor

Azure keyvault jca needs to visit key vault remotely. For each visit, it also needs an access token, so currently it also gets the access token remotely each time. This is not what we want, because the same access token can be reused, and to get the remote access token is time costly.

Please see the log:
c.a.security.keyvault.jca.AuthClient : Getting access token using client ID / client secret
c.a.s.keyvault.jca.KeyVaultClient : Getting key for alias: friend
c.a.security.keyvault.jca.AuthClient : Getting access token using client ID / client secret
c.a.security.keyvault.jca.AuthClient : Getting access token using client ID / client secret
c.a.s.keyvault.jca.KeyVaultClient : Getting certificate for alias: friend
c.a.security.keyvault.jca.AuthClient : Getting access token using client ID / client secret
c.a.s.keyvault.jca.KeyVaultClient : Using Azure Key Vault: https://kv-sp.vault.azure.net/
c.a.security.keyvault.jca.AuthClient : Getting access token using client ID / client secret
c.a.s.keyvault.jca.KeyVaultClient : Getting key for alias: friend
c.a.security.keyvault.jca.AuthClient : Getting access token using client ID / client secret
c.a.security.keyvault.jca.AuthClient : Getting access token using client ID / client secret
c.a.s.keyvault.jca.KeyVaultClient : Getting certificate for alias: friend
c.a.security.keyvault.jca.AuthClient : Getting access token using client ID / client secret
o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8443 (https) with context path ''
c.a.s.b.s.w.SpringBootWebappApplication : Started SpringBootWebappApplication in 117.996 seconds (JVM running for 118.846)
@ghost ghost added the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Aug 11, 2021
@michaelqi793 michaelqi793 added the Client This issue points to a problem in the data-plane of the library. label Aug 11, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Aug 11, 2021
@michaelqi793 michaelqi793 added azure-spring-jca KeyVault Security and removed azure-spring-jca Client This issue points to a problem in the data-plane of the library. labels Aug 11, 2021
@chenrujun chenrujun added this to the [2021] October milestone Aug 11, 2021
@chenrujun chenrujun added azure-spring All azure-spring related issues Client This issue points to a problem in the data-plane of the library. labels Aug 11, 2021
@stliu stliu added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Aug 11, 2021
@vcolin7
Copy link
Member

vcolin7 commented Aug 13, 2021
edited
Loading

It is possible that when this library was written it copied what the other Key Vault SDKs do in their
KeyVaultAuthenticationPolicy, which shows the same behavior as outlined in #10381 and #23556. We should only ask for a challenge when the access token is expired to avoid making unnecessary additional calls.

@vcolin7
Copy link
Member

vcolin7 commented Aug 13, 2021
edited
Loading

I will add #10381 to my planning for the next release cycle, in case you want to take a look at the approach taken for that.

@chenrujun chenrujun removed their assignment Aug 20, 2021
@michaelqi793 michaelqi793 mentioned this issue Aug 31, 2021
Merged
@michaelqi793
Copy link
Contributor Author

Please refer to thttps://github.com/Azure/azure-sdk-for-java/blob/1bbf18fa0d4493dbb5fd245b3952bf8dbddbd383/sdk/keyvault/azure-security-keyvault-keys/src/main/java/com/azure/security/keyvault/keys/implementation/ScopeTokenCache.java

@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@michaelqi793 michaelqi793

Labels
azure-spring All azure-spring related issues bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. KeyVault Security
Projects
None yet
Milestone
[2021] October
Development

Successfully merging a pull request may close this issue.

Enable access token cache. michaelqi793/azure-sdk-for-java
4 participants
@stliu @vcolin7 @chenrujun @michaelqi793