2

I have not found any details on whether Azure.Identity library does cache tokens or not. I am wondering if it properly caches the token per scope and renews it before the expiry or I have to write this functionality myself.

Any pointers to the proper documentation is welcome as well.

There is a SharedTokenCacheCredential in the library, but I do believe it is something else. I am asking about in-memory caching for performance reasons - to not get a new token each time.

Ilya Chernomordik
  • 27,817
  • 27
  • 121
  • 207

1 Answers1

3

It might have caching depending on the credential that gets used. For example the environment variable credential can build e.g. a ClientSecretCredential, which uses an instance of MSAL ConfidentialClientApplication internally (see source). MSAL has an in-memory cache for tokens, so this would work fine.

The Managed Identity credential does not cache tokens in my experience, though the MI endpoint does. It is still not exactly scalable to call that HTTP endpoint every time you need a token, so when using Managed Identities, an in-memory cache is a good idea that caches tokens until 4-5 minutes before expiry (not more).

Azure SDKs themselves have a token caching feature in their HTTP pipeline so the credentials aren't technically required to do caching.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • Can you please look at my answer? Did I provide an incorrect answer? Please let me know. Thanks. – Gaurav Mantri Apr 12 '21 at 12:37
  • Shared token cache is using files on disk that are produced by e.g. Visual Studio. It is sort of a cache? But using it still results in disk access every time. There isn't any guarantee that shared token cache is available for the user either. – juunas Apr 12 '21 at 12:48
  • So that means that if I use environmental variables, I won't use this SharedTokenCache, right? I did few calls in a row and exact same token was return, so there seem to be something in there, but I don't really know if it's real token cache or something is luring me – Ilya Chernomordik Apr 12 '21 at 13:12
  • That's correct. Env vars have priority in DefaultAzureCredential. – juunas Apr 12 '21 at 13:22
  • So what about getting the same token twice, there should be some kind of caching, I am just wondering if it's exactly what I need or not – Ilya Chernomordik Apr 12 '21 at 13:42
  • 2
    Hmm.. I went looking in the [source code](https://github.com/Azure/azure-sdk-for-net/blob/b33a5e3096df23bd5a9af0210428f08ffe75a8eb/sdk/identity/Azure.Identity/src/ClientSecretCredential.cs#L18), and it seems an instance of MSAL is used internally. It by default has an in-memory cache, which would mean you get caching. My answer might be overly broad and based on my experience with using it with Managed Identities (where it absolutely does not cache in-memory). Will update the answer. – juunas Apr 13 '21 at 05:47
  • "Azure SDKs themselves have a token caching feature in their HTTP pipeline" --> any examples you can share? – Chris DaMour Aug 28 '23 at 19:24