2

I am working on a SDK where we send telemetry(1000s of events/minute) to Ingestion Service owned by Microsoft.(SDK is used by webapps hosted on Azure VMS or App services) The Ingestion Service currently support authentication using Managed Identities (both system and user assigned). My idea is to take a dependency on the Azure Identity SDK and use the existing DefaultAzureCredential or ManagedIdentityCredential implementations of 'TokenCredential' to get the tokens as shown below and Use this defaultCredential while initializing the sdk. Once I have the sdk initialized my idea is to get the token and attach to authorization header on each request.

DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
    .managedIdentityClientId("<MANAGED_IDENTITY_CLIENT_ID>")
    .build();

Questions:

  1. How frequently are the tokens refreshed? How to control the expiry of these tokens?
  2. When the token is expired, are the managed Identities smart enough to call the AAD and get new tokens. Or is it the SDKs(client) responsibility to get a new token and update the header.
kryalama
  • 21
  • 2
  • According to [this doc](https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet#methods), DefaultAzureCredential provides a method 'GetToken' and this will return the access token, then you can get the property 'ExpiresOn' to gather the timestamp. You can use powershell to [manage access token expire policy](https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes#create-token-lifetime-policies-for-refresh-and-session-tokens). – Tiny Wang Mar 23 '21 at 02:54

1 Answers1

0

In my opinion, the token won't be refreshed automatically, and if you wanna know the expired time, you could use tools like fiddler to catch the request which used the token and use jwo.io to decode it, you will get a claim of 'exp', it's a unix timestamp, you can convert it then you can know the expire time.

And the expire time is managed by the policy of your tenant, you can follow the tutorial to create a policy for your access token. And because your code just new DefaultAzureCredential(), any time execute the line, it will generate a new instance so that you don't worry about the token expired.

Tiny Wang
  • 10,423
  • 1
  • 11
  • 29