Add back the SharedTokenCacheCredential to handle token which is cached by the InteractiveBrowserCredential #603
Conversation
| @@ -97,7 +99,18 @@ def _initialize_credentials(self): | |||
| credentials.append(VisualStudioCodeCredential(authority=self.authority, tenant_id=self.tenant_id)) | |||
| credentials.append(AzureCliCredential(tenant_id=self.tenant_id)) | |||
| credentials.append(AzurePowerShellCredential(tenant_id=self.tenant_id)) | |||
| credentials.append(InteractiveBrowserCredential(authority=self.authority, tenant_id=self.tenant_id)) | |||
| # Before trying other credential types, try to use already cached token. | |||
| credentials.append(SharedTokenCacheCredential(authority=self.authority)) | |||
There was a problem hiding this comment.
On Linux, when passing self.tenant_id to the SharedTokenCacheCredential, it fails due to a mismatch of this tenant_id with tenant_id from the cache. Still haven't figured it out why. It seems that it is able to work without it, but I am nearly sure that may cause additional problems too.
There was a problem hiding this comment.
even if the tenant_id is not passed, we automatically fetch it anyway by calling self._discover_tenant_id_()
There was a problem hiding this comment.
But that's for the constructor of the _DefaultAzureCredential, right? I meant passing the tenant_id to the SharedTokenCacheCredential itself. Is there a chance that the SharedTokenCacheCredential will pick a wrong data without specifying the tenant_id
There was a problem hiding this comment.
Also, since the InteractiveBrowserCredential already has support for caching, I'm confused why we need to add the SharedTokenCacheCredential in the list of credentials.
There was a problem hiding this comment.
Ok, I think I get it.
If we enable the caching in the InteractiveBrowserCredential it will fail even if the browser authentication would succeed but accessing the cache fails.
There was a problem hiding this comment.
Please see my latest commit.
Using our own cache will mitigate issues with tokens cached by other apps.
As Kirill mentioned, if there was a change of authority oder tenant_id, the SharedTokenCacheCredential will be skipped and the user can authenticate with the InteractiveBrowserCredential (which will store a new token for these new parameters).
The |
| # by the InteractiveBrowserCredential. | ||
| if cache_options: | ||
| credentials.append(SharedTokenCacheCredential( | ||
| authority=self.authority, |
There was a problem hiding this comment.
I think we might also need to pass tenant_id=self.tenant_id to here. It will allow the filtering part to pick-up accounts only the discovered tenant
There was a problem hiding this comment.
As I mentioned in this comment #603 (comment), on Linux I have a mismatch of a current tenant id and id from the cache, which leads to exception in the SharedTokenCacheCredential. Still trying to find the cause, still not sure if that's only on my machine or not.
|
@ArthurKamalov, @kikomiss: I'll hand this back to you now. I think the next steps would be to add test cases for the See how we instantiate the These new test cases:
|
| _LOGGER.error( | ||
| 'Using Azure.Identity Token Cache at %s. ', | ||
| cache._persistence.get_location() | ||
| ) |
There was a problem hiding this comment.
Sorry if I am missing something here, but should this be an error log level?
and what do we really guard here in that try/catch clause? cache._persistence.get_location() ?
There was a problem hiding this comment.
Good catch. I was using error log level for local testing. I updated it to info.
I guarded the cache._persistence.get_location() because:
- We are calling it just for tracing / info logging purposes
_persistenceis a private attribute that can change in the futureget_location()could raise an expected exception in a particular situation that we are not aware of- The cache implementation is different for each OS and would be hard for us to guarantee it always work
- Finally, I thought it's not worth the risk of this info logging to break our auth :-)
But feel free to modify the code as you see better.
Like we could try to get the location, but even if fails, it we could log the rest of the info ("Using Azure.Identity Token Cache.").
There was a problem hiding this comment.
I made a small improvement based on my own comment, but feel free to adjust it.
There was a problem hiding this comment.
Yeah, that makes a lot of sense now, thanks :)
| _LOGGER.info("Using Azure.Identity Token Cache.") | ||
| return cache_options | ||
| except Exception as ex: # pylint: disable=broad-except | ||
| if (isinstance(ex, ValueError) |
There was a problem hiding this comment.
@kikomiss, hopefully this can provide additional guidance for users facing issues with libsecret, but it's a best effort try, and I like your idea of having some documentation in Microsoft Learn docs.
There was a problem hiding this comment.
If we want to check if libsecret is working (instead of checking a ValueError message that can change in the future) we could call msal_extensions.trial_run() if sys.platform.startswith("linux").
There was a problem hiding this comment.
Again, I implemented my own comment :-)
The original problem: the
InteractiveBrowserCredentialrequired login by browser on each new run.Observations:
It seems that the
InteractiveBrowserCredentialis able to save its token to persistent cache storage, but it is not able to use that cache later. ( It actually has its own method _acquire_token_silent, but, as far as I can see, it does not check for token in cache, but already expects an instance of the AuthenticationRecord class, which, I assume, we have to handle and store manually)That's why I also made an assumtion that we should use
SharedTokenCacheCredentialfor that. I know that theSharedTokenCacheCredentialwas previously removed by @vxfield and there might be a valid reason for that, but I haven't found any better workaround, so I would glad to hear whether we can use it or not.