Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Identity] Silently refreshing tokens for DeviceCodeCredential #11128

Closed
ms-kashyap opened this issue Apr 29, 2020 · 9 comments · Fixed by #10612
Closed

[Identity] Silently refreshing tokens for DeviceCodeCredential #11128

ms-kashyap opened this issue Apr 29, 2020 · 9 comments · Fixed by #10612
Assignees
@chlowell
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request This issue requires a new behavior in the product in order be resolved.
Milestone
[2020] May

Comments

@ms-kashyap
Copy link

Is your feature request related to a problem? Please describe.
Hi there, I am using the azure-identity library to authenticate a user using Device Code Login. After their access token expires after 60 minutes, I am unable to silently refresh this token.

Describe the solution you'd like
I would like to be able to silently refresh their access token once it is expired, so that they don't have to go through device code login again if they call my Python module after 60 minutes.

Describe alternatives you've considered
The Python adal library supports this, but I am unable to use it because I am using the new azure-keyvault-secrets library, which requires you to pass in a credential created by azure-identity.
Here's the API supported by adal library

Additionally, I tried calling internal APIs within azure-identity. I understand that both these APIs are meant to be used for application-delegated authentication instead of user-delegated.
Two that I looked at:

class CachedDeviceCodeCredential(DeviceCodeCredential):
   def get_token(self):
      ... # calls super().get_token() the first time around
      ... # calls silently_refresh_token() after a token was obtained but is now expired

   def silently_refresh_token_1(self):
      ... # hard coded params for testing
      new_token = self._get_app().acquire_token_silent(scopes, account=account)  # doesn't work after 60 min

   def silently_refresh_token_2(self):
      from azure.identity._credentials.shared_cache import SharedTokenCacheCredential
      ... # hard coded params for testing
      cache = SharedTokenCacheCredential(username=username, tenant_id=tenant_id)
      new_token = cache.get_token() # doesn't work

Additional context
Please let me know if you'd like for me to provide additional context.

One thing to note is that since the DeviceCodeCredential doesn't provide caching (i.e. each get_token() call starts a new flow), I created the wrapper class with an overridden get_token() that caches the token in memory and on disk.
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Apr 29, 2020
@kaerm kaerm added Azure.Identity Client This issue points to a problem in the data-plane of the library. feature-request This issue requires a new behavior in the product in order be resolved. and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Apr 29, 2020
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Apr 29, 2020
@kaerm kaerm added this to the Backlog milestone Apr 29, 2020
@kaerm
Copy link
Contributor

kaerm commented Apr 29, 2020

@ms-kashyap thank you for reporting this, someone from our team will take a look at this //cc: @chlowell

@chlowell chlowell self-assigned this Apr 29, 2020
@chlowell chlowell modified the milestones: Backlog, [2020] May Apr 29, 2020
@chlowell
Copy link
Member

#10612 adds support for this and will be part of our next preview release, coming soon. With that PR, the credential will silently refresh tokens as needed. It also adds an in memory cache and optional disk cache on supported platforms (in this release, Windows).

@chlowell chlowell mentioned this issue Apr 29, 2020
Merged
@ms-kashyap
Copy link
Author

Great, thank you so much!
Looking forward to it :)

@ms-kashyap
Copy link
Author

Sorry, Had a follow up question.

You mentioned that it the on-disk caching works on Windows only. What is the main reason this will not work on Linux, and are you planning to add support to other platforms besides Windows?

@ms-kashyap ms-kashyap reopened this Apr 29, 2020
@chlowell
Copy link
Member

The main reason is we haven't had an implementation for the cache anywhere else. We do now, and will add support for persistent caching on Linux and macOS. #11134 tracks that work.

@ms-kashyap
Copy link
Author

Awesome. Thank you so much for the quick responses, I appreciate it. Looking forward to the new features :) Go MS!

@chlowell
Copy link
Member

chlowell commented May 4, 2020

In azure-identity 1.4.0b3, released today, DeviceCodeCredential has an in memory cache and will silently refresh tokens as needed. Please open an issue if you encounter any problems using it.

Today's release also includes optional caching to disk on Windows when the credential is constructed with enable_persistent_cache=True. We'll add persistent caching on Linux and macOS in a future release.

@zhuanyi
Copy link

zhuanyi commented Jul 7, 2022

Is there a recommended way to force refresh of the DeviceCodeCredential at this point? Understood the DeviceCodeCredential class would be refreshed silently but want to see if there is a way we could force a refresh as well.

@chlowell
Copy link
Member

The credential's authenticate and get_token methods will begin interactive authentication if that's necessary to get a token, for example when the credential doesn't have a token cached. (Azure SDK clients call get_token automatically, so most applications don't need to call either method). There's no way to force the credential to acquire a new token when it has a valid one cached.

@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@chlowell chlowell

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request This issue requires a new behavior in the product in order be resolved.
Projects
None yet
Milestone
[2020] May
Development

Successfully merging a pull request may close this issue.

User authentication API for applications chlowell/azure-sdk-for-python
4 participants
@zhuanyi @chlowell @kaerm @ms-kashyap