[Azure-Identity] VisualStudioCredential has "slow" subsequent GetTokenAsync calls #21958
Comments
ghost
added
needs-triage
jsquire
added
Azure.Identity
Client
ghost
removed
the
needs-triage
|
Thank you for your feedback. Tagging and routing to the team members best able to assist. |
Hi @vicinting - It's possible the delay you are seeing is from something other than token caching. In my local testing using Fiddler, I noticed that it sends some traffic related to telemetry. This credential is meant for development use, so performance is not one of its goals. |
christothes
added
the
needs-author-feedback
ghost
removed
the
needs-team-attention
|
Thank you @christothes. I'll look into monitoring the network traffic as well but just provided this as feedback in case it was an issue. The delay is not really a big issue but it could lead to misleading metrics to someone trying to work on performance. I'll just note it as a comment in our project, closing this issue for now. |
Performance should always be a goal, even at development time. I'm seeing a full second added to every dependency call, which would otherwise take single-digit milliseconds to complete. This is slowing down dev-test cycles unacceptably. It makes it impossible to determine the performance of code while in Visual Studio. This generally makes Azure.Identity an absolute no-go for our purposes. |
Could you clarify which dependency calls are adding the time? If this is related to fetching credentials from AAD, this should only occur on the first call to the service if the tokens are being cached. If you are seeing additional dependency calls, I'm curious to know what they are.
Azure.Identity does not need to use VisualStudioCredential even if the code is being tested inside Visual Studio. If your goal is performance measurement, it should be possible to eliminate this from your scenario. |
This is the specific scenario that we need to "just work", so alternatives aren't helpful. In the meantime I did more research and discovered that Azure.Identity has essentially no caching at all. Downstream consumers may opt to do caching, but this is inconsistent and unreliable. If I can make a recommendation: avoid the use of the words "you" or "your" when thinking about or communicating with the users of these SDKs. This is an enormous ecosystem of related libraries, and "I" don't get to control how they interact with each other. Even Microsoft is not in full control of this -- there are SDKs written by third parties that use Azure.Identity internally, and I may not have any choice in how those SDKs are used. The performance issues with Azure.Identity appear to be fundamental and cannot be consistently resolved by individual end-users. The only thing that can be done is for Microsoft to ensure that all scenarios are fast, and that downstream users fall into the pit of success instead of the pit of failure. Right now, there are people complaining about 429 errors in all sorts of related libraries because Microsoft hasn't done this consistently or correctly enough. They're falling in to the pit of failure, because that's the default path. |
Although the documentation indicates that caching is the callers responsibility, this is not entirely true. Some credentials do cache because of the underlying implementation provided by MSAL. We also allow for some configuration of token cache for scenarios where sharing cache across credential instances is needed. See this sample for more information.
I apologize if you have encountered any performance issues with Azure.Identity. If there is a specific scenario we can assist with, please feel free to create an issue with the details and we will do our best to assist. |
|
Thanks for the sample link, @christothes. Unfortunately it looks like you can't pass My use case is that I'm running local xunit integration tests that test code use Entity Framework to perform some operations on an Azure SQL database. The tests make about 5 database calls each on < 10 rows of data, pretty simple. However, each test takes about 20s to run inside Visual Studio. In the DbContext I'm using the token based authentication as laid out in Mikaël's blog here: https://devblogs.microsoft.com/azure-sdk/azure-identity-with-sql-graph-ef/ Note that whilst it stores the The difference in my case is I'm using When I profiled the tests I could see that most of the time was spent by the I have a few different accounts logged into Visual Studio for different tenants. I noticed that "Specifies the tenant id of the preferred authentication account, to be retrieved from the shared token cache for single sign on authentication with development tools, in the case multiple accounts are found in the shared token. However, specifying the required tenant id in this field did not alter the performance as far as I could see. I'm nervous about caching the tokens as there's no information about their expiry and caching beyond their expiry would lead to an annoying class of bugs. But is that the way to go? I appreciate any help here. |
|
Hi @Jawvig - VisualStudioCredential does not participate in the cache options since we are just calling out to visual studio's token provider ( |
Description
I'm comparing between VisualStudioCredential and InteractiveBrowserCredential token credentials for local development and from my understanding, the first get token call should be the slowest as subsequent calls should used the cached token.
Expected behavior
Subsequent GetTokenAsync calls should be faster as a cached token is used
Actual behavior
While using VisualStudioCredential, subsequent calls are equivalent/comparable to the first call, around 800ms for me. See screenshots below for comparison between both credentials mentioned above.
InteractiveBrowserCredential
VisualStudioCredential
Environment
The text was updated successfully, but these errors were encountered: