Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Expose a new string SuggestedCacheKey in TokenCacheNotificationArgs #1902

Closed
jmprieur opened this issue Jun 25, 2020 · 1 comment
Closed

[Feature Request] Expose a new string SuggestedCacheKey in TokenCacheNotificationArgs #1902

jmprieur opened this issue Jun 25, 2020 · 1 comment
Assignees
@jennyf19
Labels
Feature Request
Milestone
4.16.0

Comments

@jmprieur
Copy link
Contributor

jmprieur commented Jun 25, 2020
edited
Loading

Is your feature request related to a problem? Please describe.
Today, in confidential client applications, there needs to be one cache per user/account. And the difficulty is that the token cache custom serialization needs to decide where to serialize the cache based on some information which is not available today in the TokenCacheNotificationArgs.
This was solved in Microsoft.Identity.Web by having the application compute a cache key (then used by the customer serializers to get the blob for the account in the case of the user token cache, or for the app token cache)

Unfortunately, we just learnt from the ASP.NET core team that the way we do it, by using the HttpContext is risky because, in particular, HttpContext is not thread safe, and should be avoided.

Describe the solution you'd like
The proposal is to have MSAL.NET propose a hint for a cache key (that the token cache customer serializers would be free to use or not) based on the flow. We would add a new property to TokenCacheNotificationArgs, of type string, and named SuggestedCacheKey computed as follows:

  • when the flow is ClientCredentials, return the ClientId (or App_{ClientId}
  • when the flow is OBO, return the hash of the access token passed-in to call the OBO
  • for the other flows (including AcquireTokenSilent), use the home account ID when it's available.

Describe alternatives you've considered

Another possibility would be to add to AcquireTokensilent builders for confidential client apps the .WithTokenCacheKey method, but this is not my prefered option.

Additional context
See how things are done today in Microsoft.Identity.Web

https://github.com/AzureAD/microsoft-identity-web/blob/b9457a826dc4f6d7fbafc67d37f06b2d6cd2acd3/src/Microsoft.Identity.Web/TokenCacheProviders/MsalAbstractTokenCacheProvider.cs#L60-L75

and what issue this provokes, as described in issue AzureAD/microsoft-identity-web#235
@jmprieur jmprieur mentioned this issue Jun 25, 2020
Closed
@jennyf19 jennyf19 self-assigned this Jun 25, 2020
@jennyf19 jennyf19 mentioned this issue Jun 27, 2020
Merged
@bgavrilMS bgavrilMS added the Fixed label Jul 2, 2020
@bgavrilMS bgavrilMS added this to the 4.16.0 milestone Jul 2, 2020
@jmprieur
Copy link
Contributor Author

jmprieur commented Jul 7, 2020
edited
Loading

See Azure-Samples/ms-identity-aspnet-webapp-openidconnect#38 for how the usage of SuggestedCacheKey and HasToken simplifies the token cache serialization in confidential client applications

cc: @bgavrilMS @jennyf19 @pmaytak @henrik-me @trwalke @neha-bhargava

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jennyf19 jennyf19

Labels
Feature Request
Projects
None yet
Milestone
4.16.0
Development

No branches or pull requests
3 participants
@bgavrilMS @jmprieur @jennyf19