-
Notifications
You must be signed in to change notification settings - Fork 829
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token caching for AzureCLICredential #23533
Comments
Thank you for your feedback. Tagging and routing to the team member best able to assist. |
This is by design. We want credential types invoking external tools (AzureCLICredential, AzureDeveloperCLICredential) to always authenticate the user logged in to the tool, which can change at any time. Caching tokens in the credential would enable behavior that's difficult to understand and can cause hard to debug failures. For example:
If the credential caches those tokens, then the user authenticated by the credential depends on the resource being accessed, and the application may see unexpected authorization failures or act with unexpected privileges. So,
However, Azure SDK clients do cache tokens, regardless of the credential type, so e.g. a Key Vault client doesn't call Another way to get a similar workflow with better performance is to use AzureDeveloperCLICredential instead. |
Hi @mateuszlitwin. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation. |
What type of tokens would you recommend for usage in Go-based CLIs? AzureCLICredential performance is pretty bad, it adds >0.5s latency, I was hoping with better caching it can be avoided for repeated calls. |
For a CLI authenticating users, I recommend InteractiveBrowserCredential and DeviceCodeCredential. You can enable persistent caching for these credentials so users don't have to log in every time they run your CLI. InteractiveBrowserCredential is a reasonable default but generally doesn't work in remote or headless environments such as SSH sessions because it tries to open a web browser and redirect to localhost. DeviceCodeCredential is designed for those environments. You could try to automatically fall back to device code auth when the browser approach fails, however I'd recommend adding a flag like |
Feature Request
Based on https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/TOKEN_CACHING.MD#credentials-supporting-token-caching caching is not implemented for
AzureCLICredential
. I useaz login
extensively and would like to reuse tokens when using Go cli. Currently this results in a poor performance.The text was updated successfully, but these errors were encountered: