Skip to content

Cache federated identity MSAL clients#458

Merged
heyitsaamir merged 1 commit into
mainfrom
cache-fic-msal-client
Jun 10, 2026
Merged

Cache federated identity MSAL clients#458
heyitsaamir merged 1 commit into
mainfrom
cache-fic-msal-client

Conversation

@heyitsaamir

@heyitsaamir heyitsaamir commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Cache MSAL clients for federated identity token flow.

Why:
Recreating the MSAL confidential client every token request means we miss MSAL's internal token cache. Reusing the client lets it do its job and avoids extra token exchanges.

Interesting bits:
FIC now passes MSAL a lazy client assertion callback, so the managed identity exchange token is only fetched when MSAL actually needs to hit the wire. Also updated the local MSAL stub because 1.34 supports callables even though our stub only allowed strings.

Reviewer tips:
Start in packages/apps/src/microsoft_teams/apps/token_manager.py. The important bit is the new FIC client cache and callback assertion.

Testing:

  • uv run pytest packages/apps/tests/test_token_manager.py
  • uv run pyright packages/apps/src/microsoft_teams/apps/token_manager.py
  • Manual VM test of the FIC token flow

Copilot AI review requested due to automatic review settings June 10, 2026 05:39

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Caches MSAL ConfidentialClientApplication instances for the Federated Identity Credentials (FIC) token flow so MSAL’s internal token cache can be reused across token requests, and updates typing/test coverage to reflect the new lazy client_assertion behavior.

Changes:

  • Added a per-tenant cache for MSAL clients used by the FIC flow and refactored FIC token acquisition to reuse cached clients.
  • Switched FIC to pass MSAL a lazy client_assertion callable that synchronously acquires the managed identity exchange token only when MSAL needs it.
  • Updated local MSAL type stubs and tests to support/validate callable client_assertion values.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
packages/apps/src/microsoft_teams/apps/token_manager.py Introduces a federated-identity MSAL client cache and lazy client_assertion callback wiring for FIC token acquisition.
packages/apps/tests/test_token_manager.py Updates FIC tests to validate callable client_assertion behavior and adds coverage for the new federated client cache.
stubs/msal/__init__.pyi Expands client_credential typing to allow callables (e.g., lazy client_assertion) in dict-based credentials.

@heyitsaamir heyitsaamir merged commit e0f78c9 into main Jun 10, 2026
9 checks passed
@heyitsaamir heyitsaamir deleted the cache-fic-msal-client branch June 10, 2026 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants