-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add BearerTokenCredentialPolicy
to azure_core
#1726
Add BearerTokenCredentialPolicy
to azure_core
#1726
Conversation
.NET and Python are actually doing the same thing. I was involved in the development of .NET's. It's still determining if the token needs refreshed on each request via the pipeline. It needs a trigger: there's no thread running concurrently doing this. The logic is basically: if the token for the current call is within 2 minutes of expiring or already expired, fetch a new one. The original request waits on that to complete. From what you described, sounds like Python is conceptually doing the same and I can't imagine what any language would do differently since we wouldn't want to burn a thread (green or otherwise) just to refresh tokens when they may not be needed for long after a token expires. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One major blocker to clean up, but some API changes requested as well.
sdk/core/azure_core/src/policies/storage_bearer_token_policy.rs
Outdated
Show resolved
Hide resolved
sdk/core/azure_core/src/policies/storage_bearer_token_policy.rs
Outdated
Show resolved
Hide resolved
sdk/core/azure_core/src/policies/storage_bearer_token_policy.rs
Outdated
Show resolved
Hide resolved
sdk/core/azure_core/src/policies/storage_bearer_token_policy.rs
Outdated
Show resolved
Hide resolved
…ther feedback nits
Alrighty, so at this point the code is not compiling, and here is my compiler errors:
After fighting with it for about an hour, I took a step back to think deeply about what is going wrong, and now an implementation question: Currently, the way that I am trying to make the retry mechanism work is:
But the issue I am running into is that because we are doing Curious to hear your thoughts @heaths and apologies for the wall of text, but I wanted to be as thorough as possible. Thanks! |
@vincenttran-msft are you going to be able to finish this, or would you like me to prioritize this in my queue? |
I am going to try to get the interior mutability working with Mutex by EOD, otherwise I can revert this back to non-caching and we can review + prioritize this to merge without the caching capabilities. |
@heaths Hi Heath, I have gone ahead and just reverted back to the non-caching implementation. I did notice that the other policies have been moved out to We can look to get this reviewed and merged in this state as I don't want to be blocking any other developments any longer on this item. Sorry for the delay! |
BearerTokenCredentialPolicy
to coreBearerTokenCredentialPolicy
to azure_core
Making the title more generic since this isn't just for Storage. Also, we have labels we generally like for this stuff because that triggers other events sometimes. |
When do you think you might have the caching in, or is this something you want help with? I helped a bit on https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/core/Azure.Core/src/Pipeline/BearerTokenAuthenticationPolicy.cs, which was refactored out of https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs and we'll need to accommodate for Key Vault for Rust here as well. In fact, Key Vault will be our first service crate we end up releasing, most likely. /cc @jhendrixMSFT |
Also, yes, we can leave this in |
I think the caching is something I may need help with. I've gotten close, and I've scoured the internet for resources regarding interior mutability in a thread-safe manner (using RwLock or Mutex), but I just cannot for the life of me ever get it completely satisfying all requirements. One of the main issues with using Mutex was that we have: I know that you can then provide a hand-written implementation, but I think this is all still a little outside of my scope of knowledge. So I think the next best step would be if you could implement the caching, and I will probably learn more from seeing your implementation and understanding how it works rather than sinking any more time (which has been a great learning opportunity, but I also am working on some Python SDK commitments as well which are taking longer than expected) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good as an MVP, but we'll definitely want to cache the access token. What we did in .NET was, if the token is already expired or within 2 minutes of expiring, is fetch it again. It should be indexed based on the authority, as you can see in https://github.com/Azure/azure-sdk-for-net/blob/125bfbb68c585771c6c60f32e0542d45bfc20cfe/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs#L48. This is Key Vault's modifications to our more generic https://github.com/Azure/azure-sdk-for-net/blob/125bfbb68c585771c6c60f32e0542d45bfc20cfe/sdk/core/Azure.Core/src/Pipeline/BearerTokenAuthenticationPolicy.cs.
This is the first-pass rough implementation that we were using in our playground
Fully functioning (in simple cases, does not have some intelligent caching / refreshing when the auth expires), but I do have some questions:
AccessTokenCache
which has some logic to make it able to refresh when necessaryon_request
that is called on every request before sending, and has some logic checking for a currentlyNone
token or checkingself._need_new_token
(but not 100% sure what maintains the state of_need_new_token
)_need_new_token
is a property that literally checks a similar condition as you stated (in Python's case, 300 seconds or 5 mins)So we can either iterate on this PR to try to work on the auto-caching, or we can leave it on the backlog and revisit it when necessary 😄