Skip to content

AzureCliCredential: add support for expires_on field.#5180

Merged
antkmsft merged 13 commits intoAzure:mainfrom
antkmsft:azcli-expireson-unixtime
Dec 15, 2023
Merged

AzureCliCredential: add support for expires_on field.#5180
antkmsft merged 13 commits intoAzure:mainfrom
antkmsft:azcli-expireson-unixtime

Conversation

@antkmsft
Copy link
Member

@antkmsft antkmsft commented Nov 23, 2023
edited
Loading

Closes #5116.

It works the following way - if expires_on (the new one) property is present, it gets parsed before ExpiresOn (the old one) property.

This PR is not a replacement for #5179, which mitigates the issue if the user has older version of Azure CLI installed. We can't expect users to always have the latest installed. The one without time zone info has been there first, for many years, and only now they are adding the expires_on property.

#5179 is good enough, but not ideal - once a year, one day in fall, when it is close to moving from DST, the token will be off for one hour, and then everything should work, but an extra token request will be sent when the auth policy will supply a token which was obtained when the DST was on, but the service will reject it, and then the policy will tell the credential to get a new token, and everything will work once again.
And one day in spring, when the clock moves to DST, the tokens obtained will have 1 hour shorter expiration than what they actually are, and some extra requests to refresh tokens will be made.

--
UWP CI is currently blocked until microsoft/vcpkg#35279 is fixed / microsoft/vcpkg#35116 is merged (#5181 would unblock)

@antkmsft antkmsft mentioned this pull request Nov 23, 2023
Merged
@antkmsft antkmsft marked this pull request as ready for review November 23, 2023 17:44
@antkmsft antkmsft self-assigned this Nov 27, 2023
@ahsonkhan
Copy link
Contributor

ahsonkhan commented Nov 28, 2023

Let's wait on this until we have a conclusion on Az Cli version support.

ahsonkhan
ahsonkhan reviewed Nov 29, 2023
View reviewed changes
@antkmsft
Copy link
Member Author

antkmsft commented Nov 29, 2023

Let's wait on this until we have a conclusion on Az Cli version support.

Sure.
When will we know?
BTW, if the decision is to require the newer azure CLI version, I would want to talk to them, because there is no reason to drop the support entirely - we perfectly can parse timestamps in the old format - especially with #5179 we could do that, and it would be excessive in getting tokens twice a year in the locales that move to DST and back.

ahsonkhan
ahsonkhan reviewed Nov 29, 2023
View reviewed changes
@ahsonkhan
Copy link
Contributor

ahsonkhan commented Nov 30, 2023
edited
Loading

When will we know?
BTW, if the decision is to require the newer azure CLI version, I would want to talk to them, because there is no reason to drop the support entirely - we perfectly can parse timestamps in the old format - especially with #5179 we could do that, and it would be excessive in getting tokens twice a year in the locales that move to DST and back.

I discussed this today and shared the conclusion on the issue:
#5116 (comment)

The other languages don't have the DST concern, let's discuss that separately. It does seem like that's an OK trade-off given where C++ language support is, and given AzureCliCredential is a dev time credential anyway.

@antkmsft antkmsft requested a review from ahsonkhan November 30, 2023 20:52
ahsonkhan
ahsonkhan reviewed Dec 14, 2023
View reviewed changes
ahsonkhan
ahsonkhan reviewed Dec 14, 2023
View reviewed changes
ahsonkhan
ahsonkhan approved these changes Dec 14, 2023
View reviewed changes
Copy link
Contributor

@ahsonkhan ahsonkhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise, LGTM.

@antkmsft antkmsft enabled auto-merge (squash) December 15, 2023 00:28
@antkmsft antkmsft merged commit eba15a9 into Azure:main Dec 15, 2023
@antkmsft antkmsft deleted the azcli-expireson-unixtime branch December 15, 2023 01:13
This was referenced Jan 8, 2024
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@schaabs schaabs Awaiting requested review from schaabs

@RickWinter RickWinter Awaiting requested review from RickWinter RickWinter is a code owner

@vhvb1989 vhvb1989 Awaiting requested review from vhvb1989

@gearama gearama Awaiting requested review from gearama

@LarryOsterman LarryOsterman Awaiting requested review from LarryOsterman LarryOsterman is a code owner

@christothes christothes Awaiting requested review from christothes christothes is a code owner automatically assigned from Azure/azure-sdk-write-identity

@pvaneck pvaneck Awaiting requested review from pvaneck pvaneck is a code owner automatically assigned from Azure/azure-sdk-write-identity

@billwert billwert Awaiting requested review from billwert billwert is a code owner automatically assigned from Azure/azure-sdk-write-identity

@chlowell chlowell Awaiting requested review from chlowell chlowell is a code owner automatically assigned from Azure/azure-sdk-write-identity

@mpodwysocki mpodwysocki Awaiting requested review from mpodwysocki mpodwysocki is a code owner automatically assigned from Azure/azure-sdk-write-identity

1 more reviewer

@ahsonkhan ahsonkhan ahsonkhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@antkmsft antkmsft

Labels

Azure.Identity

Projects

Azure Identity SDK Improvements
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Identity] Evaluate expires_on field in AzureCliCredential

2 participants

@antkmsft @ahsonkhan