New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Documentation] Use of ConfidentialClientApplication and TokenStore #1342
Comments
Great questions.
Creation pattern in web app sample. Testing caveat: You may think that using DI is also gonna make things more testable. Sadly, it's difficult (impossible) to mock the builder pattern, so I would actually suggest to wrap the creation and invocation in a class of your own.
The issues with the in-memory cache are:
Scale - a distributed cache scales better. A rough example of how much space is needed - around 50kb for some 3 users in an OBO like scenario.
|
Hi, Regarding availability: as you said OBO flow is silent, and getting the original token require re-login. However, is it correct to say that, from the standpoint of the Web API you will most likely never perform re-login? You usually have a SAP app in front the Web API that will perform the login and store the original token in local storage; and use OBO to call the Web API, which then will again use OBO flow to call other Web API (internal or external). So thus using an in-memory cache could be sufficient for a smaller applications. Regarding |
@techgeek03 : you are right that the Web API would not perform re-login, but it would send back to its caller (the SAP front end app in your case) information so that the user relogs-in in case the refresh token has expired, or the user needs to consent to more scopes; Regarding your comment on the fact that we'd want to get rid of |
@techgeek03 - I updated the guidance on the creation pattern above (point 1). |
@jmprieur -- I understand the abstraction hiding of IHttpContextAccessor that is being discussed here. When you're back from vacation, let's discuss. |
@MarkZuber : ready to discuss |
Hi,
is the following implementation for getting the token safe to register as a singleton in .net core?
|
@AquilaSands - yes, for Client Credentials flow a singleton should work fine. You are requesting tokens for an application, not for a user. There will only be 1 access token in the in-memory cache (for the app), irrespective of how many users and sessions there are Note that you're not providing a token cache implementation, which means that MSAL will cache tokens in memory (in this case the one access token). When you restart the app / service, MSAL will have to contact AAD for a new access token, so there will be a small delay. But in any case, MSAL will have to go to AAD every ~1h or so to fetch a new AT as they expire in 1h. So the perf profile of your service varies a bit (~1s) when MSAL cannot serve ATs from its cache. Let me know if this is a concern and I can suggest solutions. |
@bgavrilMS excellent, thanks for the quick reply. I think the perf will be fine if it does turn out to be an issue I can always add something to warm up the token cache and refresh the value periodically and/or stick it in Redis. |
Hi! I found this issue while searching and see it's open since 2019. Should it be finished or closed? |
Hi yes, it is finished. https://github.com/AzureAD/microsoft-identity-web has GA-ed and it offers all the best practices for this scenario. |
Documentation Related To Component:
ConfidentialClientApplication and TokenStore
Please check those that apply
Description Of The Issue
I have a question regarding the use of the
ConfidentialClientApplication
and token caching that is not very clear in the documentation.In my application, I'm using the on behalf of flow to call downstream API from my ASP.NET Core Web API and I would like to leverage token caching for users.
ConfidentialClientApplication
be instantiated. WhenConfidentialClientApplication
is registered as a singleton in the DI service provider the default token store can be used as expected and subsequent calls from the same user will result in only one call to Azure AD (when using theAcquireTokenSilent
on theConfidentialClientApplication
). However registering it as a scoped service the cache is only available per request. My question is: Is it safe to registerConfidentialClientApplication
as singleton? Can you please update and elaborate on this in the https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-Applications with this information?Microsoft.Identity.Client.Extensions.Web
as NuGet package (https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet), the code base has examples on how to implement token store per user, but the implementation is not following some of the best practices from the ASP.Net Core team (the code base leaks lot of framework dependencies like theIHttpContextAccessor
,HttpContext
and forces use ofISession
). There is a lot of repeating code when using the MSAL library and it is good that such library be created, but it does not look that is production ready.Looking forward on your feedback! Thank you! :)
The text was updated successfully, but these errors were encountered: