Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cache improvements #708

Open
wants to merge 2 commits into
base: dev
Choose a base branch
from
Open

Cache improvements #708

wants to merge 2 commits into from

Conversation

Avery-Dunn
Copy link
Collaborator

Adds an option to use a static/shared cache in ConfidentialClientApplication instead of the per-instance cache (#699), and adds a new field to AuthenticationResult to store helpful metadata about the result (#697)

/**
* List of possible reasons the tokens in an {@link IAuthenticationResult} were refreshed.
*/
public enum CacheRefreshReason {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are missing a case here when "Claims" are specified. When this happens, MSAL has to bypass the token cache and to ESTS.

But not for client capabilities. Client capabilities are internally still claims. But we should not bypass the cache.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still open comment :)

/**
* A default value, likely indicates tokens could not be retrieved
*/
UNKNOWN,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MSAL throws exception when token cannot be retried. I don't think you can get this value. Also, there is no unit test covering this path.

assertEquals(TokenSource.IDENTITY_PROVIDER, result.metadata().tokenSource());
assertEquals(CacheRefreshReason.NOT_APPLICABLE, result.metadata().cacheRefreshReason());
assertEquals(TokenSource.CACHE, acquireSilentResult.metadata().tokenSource());
assertEquals(CacheRefreshReason.NOT_APPLICABLE, acquireSilentResult.metadata().cacheRefreshReason());
Copy link
Member

@bgavrilMS bgavrilMS Sep 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add more tests. Consider adding these assertions to all integrationt tests, not just public client ones. Client_credentials is of highest priority.

In particular:

  • client_credentials + all combos of CacheRefreshReason (especially PROACTIVE_REFRESH)

  • client_credentials + claims

  • obo and auth code

Copy link
Member

@bgavrilMS bgavrilMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Insufficient tests

//Because the confidential client flow has an internal silent call:
// -result_notStatic1 and result_notStatic2 should be the same, because they both used the non-static cache from one ConfidentialClientApplication instance
// -result_sharedCache1 and result_sharedCache2 should be the same, because they both used the static cache shared between two ConfidentialClientApplication instances
assertEquals(result_notStatic1.accessToken(), result_notStatic2.accessToken());
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you added token source in the metadata, you can also check the token source as cache or IDP

@@ -208,6 +215,12 @@ public ConfidentialClientApplication.Builder appTokenProvider(Function<AppTokenP
throw new NullPointerException("appTokenProvider is null") ;
}

public ConfidentialClientApplication.Builder useSharedCache(boolean val) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The user experience in MSAL.net is enable this through cache options. Are we not planning to be consistent with it?

/**
* List of possible reasons the tokens in an {@link IAuthenticationResult} were refreshed.
*/
public enum CacheRefreshReason {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could not find where this value is being sent to server side telemetry. The expected format for that is Expected format: 5|api_id,cache_info,region_used,region_autodetection,region_outcome|platform_config where this values is sent as cache info. Also when you send it to server side telemetry it should be a numeric value as 0,1, etc. See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/ac1cb0522a011e0a6e0802a2535bf03cfd8d9fab/src/client/Microsoft.Identity.Client/Cache/CacheRefreshReason.cs#L9

Copy link
Collaborator

@neha-bhargava neha-bhargava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The token source and cache refresh reason is also sent to the server side telemetry. I did not see the code to send it to server side telemetry. See HttpTelemetryManager.cs for reference.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants