[BUG] DefaultAzureCredential takes a long time to authenticate

[avanigupta]

Library name and version

Azure.Identity 1.5.0

Describe the bug

Using DefaultAzureCredential for authentication takes a very long time in package version 1.5.0.
The following code snippet takes ~3.5 seconds to run with Azure.Identity v1.4.0, and ~12.5 seconds with Azure.Identity v1.5.0.

var cred = new DefaultAzureCredential();
var result = cred.GetTokenAsync(new TokenRequestContext(new string[] { "<ValidScope>" })).Result;

Expected behavior

DefaultAzureCredential should not take >12 seconds to load credentials.

Actual behavior

DefaultAzureCredential takes >12 seconds to load credentials.

Reproduction Steps

Create an ASP .NET Core app with Azure.Identity v1.5.0 dependency. Add the code snippet above and measure the time taken for GetTokenAsync to complete.
I had VisualStudioCredentials configured for authentication. Directly using VisualStudioCredentials for auth has no delay.

Environment

Tried running on .net3.1, .net5 and .net6 - same behavior.
Running in Visual Studio 2019.

dotnet --info:
.NET SDK (reflecting any global.json):
Version: 6.0.101
Commit: ef49f6213a

Runtime Environment:
OS Name: Windows
OS Version: 10.0.19044
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\6.0.101\

Host (useful for support):
Version: 6.0.1
Commit: 3a25a7f1cc

.NET SDKs installed:
3.0.103 [C:\Program Files\dotnet\sdk]
3.1.416 [C:\Program Files\dotnet\sdk]
5.0.210 [C:\Program Files\dotnet\sdk]
5.0.403 [C:\Program Files\dotnet\sdk]
5.0.404 [C:\Program Files\dotnet\sdk]
6.0.101 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
Microsoft.AspNetCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.12 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 6.0.1 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.12 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.1 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.12 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.13 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 6.0.1 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

[jsquire]

Thank you for your feedback. Tagging and routing to the team members best able to assist.

[christothes]

This sounds like a duplicate of #24767

[avanigupta]

Looks like the delay comes from ManagedIdentityCredential, as discussed in the other issue you linked. But this is still a significant delay compared to 1.4.0. Is there any plan to refactor DefaultAzureCredential to reduce the extra time taken by ManagedIdentityCredential?

[christothes]

Looks like the delay comes from ManagedIdentityCredential, as discussed in the other issue you linked. But this is still a significant delay compared to 1.4.0. Is there any plan to refactor DefaultAzureCredential to reduce the extra time taken by ManagedIdentityCredential?

Yes - we have been discussing solutions to this problem and may have a preview of the change soon. cc @schaabs

[heldersousa-planetpayment]

@christothes is there an update for this issue? Version 1.6.1 still has this problem.

[gregoryagu]

I have this same issue using Azure.Identity 1.7.0 Average time to get Token 10 seconds. This makes the site startup time painfully slow. The only workaround I know of is to get the token during app startup, otherwise, the token is getting on the first database access. Having a user wait 10 seconds to get a database response is just too much. After the token is gotten, then the speed is as expected.

[heldersousa-planetpayment]

@gregoryagu there are multiple credential providers within the DefaultAzureCredential. If you don't need to support some of those, you can disable them as a workaround. Following is an example to disable ManagedIdentityCredential. You could disable other providers if you don't need them and it should improve the first connection to the database.

var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
{
    ExcludeManagedIdentityCredential = true
});

[aliusman]

@gregoryagu there are multiple credential providers within the DefaultAzureCredential. If you don't need to support some of those, you can disable them as a workaround. Following is an example to disable ManagedIdentityCredential. You could disable other providers if you don't need them and it should improve the first connection to the database.

var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
{
    ExcludeManagedIdentityCredential = true
});

For me it brings down a standard request from >5 secs down to 4.54 secs BUT compared to SQL authentication which is <1 second, still more than 4x - Will there ever be a solution for this? or any workarounds

[heldersousa-planetpayment]

@aliusman I believe investigation/changes to fix this issue are being tracked here: #29471
In the meantime, in this comment #29471 (comment) you can see there are multiple Credentials causing the delay, with different impacts. You may have to exclude multiple IdentityCredential for now.

[aliusman]

@aliusman I believe investigation/changes to fix this issue are being tracked here: #29471 In the meantime, in this comment #29471 (comment) you can see there are multiple Credentials causing the delay, with different impacts. You may have to exclude multiple IdentityCredential for now.

That is very interesting, thanks for sharing, I will have a look

[kempcalalo]

I have exclude everything I don't need and it still takes a long time. Any alternative solution?

            var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
            {
                ExcludeAzureCliCredential = true,
                ExcludeAzurePowerShellCredential= true,
                ExcludeEnvironmentCredential= true,
                ExcludeInteractiveBrowserCredential= true,
                ExcludeSharedTokenCacheCredential= true,
                ExcludeVisualStudioCodeCredential= true,
            });

[heldersousa-planetpayment]

@kempcalalo maybe you can try to use the code in the comment #29471 (comment) to see what is taking so long in your specific case.

[kempcalalo]

@kempcalalo maybe you can try to use the code in the comment #29471 (comment) to see what is taking so long in your specific case.

Hello @heldersousa-planetpayment

See the results of the test below.

DefaultAzureCredential.GetToken                      8134,79 ms
ManagedIdentityCredential.GetToken                   6472,61 ms
VisualStudioCredential.GetToken                      1661,49 ms

This seems to be a bit slow right? And what is really needed for us is the ManagedIdentityCredential

Running this diagnostics in Visual Studio 2022 v17.4.4

[christothes]

@kempcalalo maybe you can try to use the code in the comment #29471 (comment) to see what is taking so long in your specific case.

Hello @heldersousa-planetpayment

See the results of the test below.

DefaultAzureCredential.GetToken                      8134,79 ms
ManagedIdentityCredential.GetToken                   6472,61 ms
VisualStudioCredential.GetToken                      1661,49 ms

This seems to be a bit slow right? And what is really needed for us is the ManagedIdentityCredential

Running this diagnostics in Visual Studio 2022 v17.4.4

I would recommend excluding ManagedIdentityCredential in the options. This one is usually the critical path due to how it must discover whether or not the MI endpoint is available reliably before moving on to other credential types.

var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
{
    ExcludeManagedIdentityCredential = true
});

[kempcalalo]

@kempcalalo maybe you can try to use the code in the comment #29471 (comment) to see what is taking so long in your specific case.

Hello @heldersousa-planetpayment
See the results of the test below.

DefaultAzureCredential.GetToken                      8134,79 ms
ManagedIdentityCredential.GetToken                   6472,61 ms
VisualStudioCredential.GetToken                      1661,49 ms

This seems to be a bit slow right? And what is really needed for us is the ManagedIdentityCredential
Running this diagnostics in Visual Studio 2022 v17.4.4

I would recommend excluding ManagedIdentityCredential in the options. This one is usually the critical path due to how it must discover whether or not the MI endpoint is available reliably before moving on to other credential types.

var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
{
    ExcludeManagedIdentityCredential = true
});

@christothes But if I do this, then the code will not work with MI credential? This is exactly the only credential option we are using. Our app is deployed in Azure App Services which connects to Azure SQL via MI.

Is this slow performance the same if I deploy to App Service? Right now I'm only testing on my local machine but have not tried to deploy it yet to an App Service in Azure.

[heldersousa-planetpayment]

@kempcalalo MI should not be an issue while running in App Service. I'm deploying my services in Azure Kubernetes Services (ASK), and the MI authentication is quick (much faster than local dev).
For me, the slow execution times are mostly on local development. You need different configurations to enable/disable certain credentials depending on whether you are running locally or on "prod" like environments.

[christothes]

Is this slow performance the same if I deploy to App Service? Right now I'm only testing on my local machine but have not tried to deploy it yet to an App Service in Azure.

No - this is only a problem when running outside of Azure in an environment where the MI endpoint is not available.

The reason for the delay in local testing is that the ManagedIdentityCredential must attempt to connect to the well known MI endpoint to discover if it is available. The delay is because of the network timeouts and retries that can occur during this discovery. When the endpoint is available, it should connect very quickly.

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!