Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] msal_extensions.token_cache.PersistedTokenCache is bypassed by ConfidentialClientApplication #127

Closed
jiasli opened this issue Apr 11, 2024 · 6 comments · Fixed by #128 or Azure/azure-cli#28747
Closed

[Bug] msal_extensions.token_cache.PersistedTokenCache is bypassed by ConfidentialClientApplication #127

jiasli opened this issue Apr 11, 2024 · 6 comments · Fixed by #128 or Azure/azure-cli#28747
Labels
bug Something isn't working P1 regression

Comments

@jiasli
Copy link
Contributor

jiasli commented Apr 11, 2024
edited
Loading

Describe the bug
AzureAD/microsoft-authentication-library-for-python#644 introduced a regression that msal_extensions.token_cache.PersistedTokenCache is bypassed by ConfidentialClientApplication.

To Reproduce

az login --service-principal --username ... --password ... --tenant ... --allow-no-subscriptions

az account get-access-token --scope https://management.azure.com//.default
...
  "expiresOn": "2024-04-11 19:25:43.000000",

az account get-access-token --scope https://management.azure.com//.default
...
  "expiresOn": "2024-04-11 19:26:03.000000",

Notice each time a new access token is retrieved, bypassing the token cache. Detailed analysis is provided at AzureAD/microsoft-authentication-library-for-python#644 (comment).

This causes a severe regression in OIDC authentication, so that no Azure CLI task can run longer than the OIDC token's 5-minute lifetime (Azure/azure-cli#28708 (comment)).

Expected behavior
Old access token from the token cache should be retrieved.

What you see instead
A new access token is retrieved.

The MSAL Python version you are using
1.28.0

Additional context
Add any other context about the problem here.
@jiasli jiasli mentioned this issue Apr 11, 2024
Open
@rayluo rayluo assigned rayluo and unassigned rayluo Apr 12, 2024
@jiasli jiasli mentioned this issue Apr 12, 2024
Closed
@rayluo rayluo transferred this issue from AzureAD/microsoft-authentication-library-for-python Apr 12, 2024
@rayluo rayluo mentioned this issue Apr 12, 2024
Merged
@bgavrilMS bgavrilMS added bug Something isn't working P1 regression labels Apr 12, 2024
@bgavrilMS
Copy link
Member

@rayluo - it looks like Azure CLI has been getting quite a lot of attention on this issue, including ICMs and the scenario is very much used right now. Any objection to gettting a release out asap?

@rayluo
Copy link
Contributor

rayluo commented Apr 12, 2024

@rayluo - it looks like Azure CLI has been getting quite a lot of attention on this issue, including ICMs and the scenario is very much used right now. Any objection to gettting a release out asap?

@bgavrilMS , even if we ship this immediately, there are still some logistic steps on the Azure CLI side. After a discussion with Azure CLI team, we mutually agreed on the steps and timeline, described in the mitigation comment in the ICM.

@MoChilia MoChilia mentioned this issue Apr 15, 2024
Open
@bgavrilMS
Copy link
Member

@rayluo - it looks like Azure CLI has been getting quite a lot of attention on this issue, including ICMs and the scenario is very much used right now. Any objection to gettting a release out asap?

@bgavrilMS , even if we ship this immediately, there are still some logistic steps on the Azure CLI side. After a discussion with Azure CLI team, we mutually agreed on the steps and timeline, described in the mitigation comment in the ICM.

Thank you @rayluo and @jiasli

@OliverMKing OliverMKing mentioned this issue Apr 15, 2024
Merged
@rayluo rayluo mentioned this issue May 9, 2024
Merged
@MoazzemHossain-bot
Copy link

I need help to resolve this issue.

@rayluo
Copy link
Contributor

rayluo commented May 9, 2024

I need help to resolve this issue.

So, you are a msal-extensions user, @MoazzemHossain-bot?

This issue has been fixed in msal-extensions 1.2.0b1, which is available from PyPI. This is the version that unblocked Azure CLI.

Please also watch/subscribe the current repo so that you will receive notification when we ship a stable version 1.2.0 in the near future.

@MoazzemHossain-bot
Copy link

Thanks for your favour.

This was referenced Jun 24, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working P1 regression
Projects
None yet
Milestone
No milestone
4 participants
@rayluo @jiasli @bgavrilMS @MoazzemHossain-bot