Azure-sdk-for-net: [FEATURE REQ] Allow clearing of AppAuthResultCache from AzureServiceTokenProvider

Created on 18 Jul 2019  路  3Comments  路  Source: Azure/azure-sdk-for-net

Is your feature request related to a problem? Please describe.
Access Tokens are persisted by the AppAutheResultCache until near expiry.

The access tokens can contain information on the active directory group membership of the user/service principal.

If access to resource is granted to a security group, and the user/SP is added to this group after a token has been cached for them, there is no way of refreshing the access token until it nears expiry.

This is specifically a problem when e.g. doing an ARM based deployment using the following steps:

  1. Create app service with a managed service identity
  2. Add MSI to security group to allow access to specific resources (e.g. sql database)

If between 1 and 2 occurring, the app service attempts to access the resource, a token is cached which doesn't contain the group membership added in step 2. You are then stuck with either waiting hours for the token to expire, or restarting the app service to clear the in memory cache.

Describe the solution you'd like
An available method on AzureServiceTokenProvider to clear the Token Cache.

Describe alternatives you've considered
Restarting the app service is an option- but could be quite disruptive to users if endpoints already being hit, and shouldn't be required to achieve this.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • [x ] Description Added
  • [x ] Expected solution specified
Mgmt Resource Authorization Service Attention customer-reported question
Source
picture tomgallard
👍12

Most helpful comment

A dirty hack for now:

            try
            {

                var type = typeof(AzureServiceTokenProvider).Assembly.GetType("Microsoft.Azure.Services.AppAuthentication.AppAuthResultCache");
                var method = type.GetMethod("Clear", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Static);
                method.Invoke(null, new object[] { });

            }
            catch(Exception ex)
            {

            }
picture pksorensen on 8 Sep 2019
👍2 👎1

All 3 comments

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @rthorn17

msftbot[bot] picture msftbot[bot] on 25 Jul 2019

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @rthorn17

msftbot[bot] picture msftbot[bot] on 25 Jul 2019

A dirty hack for now:

            try
            {

                var type = typeof(AzureServiceTokenProvider).Assembly.GetType("Microsoft.Azure.Services.AppAuthentication.AppAuthResultCache");
                var method = type.GetMethod("Clear", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Static);
                method.Invoke(null, new object[] { });

            }
            catch(Exception ex)
            {

            }
pksorensen picture pksorensen on 8 Sep 2019
👍2 👎1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

vladbarosan picture vladbarosan  路  4Comments
tudort-iquest picture tudort-iquest  路  3Comments
PejmanNik picture PejmanNik  路  4Comments
Assassinbeast picture Assassinbeast  路  3Comments
subbartt picture subbartt  路  3Comments