Skip to content

Support credential instance reuse in WithAzureCredential DI path#56245

Merged
m-nash merged 3 commits intomainfrom
credential-reuse-56231
Feb 13, 2026
Merged

Support credential instance reuse in WithAzureCredential DI path#56245
m-nash merged 3 commits intomainfrom
credential-reuse-56231

Conversation

@m-nash
Copy link
Copy Markdown
Member

@m-nash m-nash commented Feb 13, 2026

Fixes #56231

What

When multiple Azure clients are registered via DI with identical credential configuration, they now share the same \ConfigurableCredential\ instance. This enables MSAL token cache reuse across clients, improving resilience per Azure Identity best practices.

How

  • Added \ConfigurableCredentialCache\ (internal) that caches \ConfigurableCredential\ instances keyed by a SHA256 hash of the credential config section's flattened key-value pairs
  • Updated \WithAzureCredential(IClientBuilder)\ to use the cache via a \ConditionalWeakTable<IServiceCollection, ConfigurableCredentialCache>\ scoped per host builder
  • Cache keys are content-based: two different config section paths with identical values produce the same key and share the credential
  • Separate host builders get separate caches (no cross-host leakage)
  • SHA256 hashing avoids leaking secrets in cache keys
  • #if NETSTANDARD2_0\ conditional for optimal hashing APIs on modern TFs

Scope

Only the \WithAzureCredential(IClientBuilder)\ overload (DI path) is changed. The direct \ClientSettings\ overload is unchanged.

Tests

  • 10 unit tests for cache key generation (arrays, nested values, ordering, empty sections)
  • 16 integration tests exercising the full DI pipeline (same/different config, keyed/non-keyed clients, mixed registration, separate hosts, array configs)

Copilot AI review requested due to automatic review settings February 13, 2026 02:02
@m-nash m-nash requested review from a team, JonathanCrd and christothes as code owners February 13, 2026 02:02
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements credential instance reuse for Azure SDK clients registered via dependency injection with identical credential configurations. By enabling MSAL token cache sharing across clients, it improves application resilience and follows Azure Identity best practices.

Changes:

  • Introduced ConfigurableCredentialCache to cache ConfigurableCredential instances using SHA256-hashed, content-based keys
  • Modified WithAzureCredential(IClientBuilder) to leverage per-host caching via ConditionalWeakTable
  • Added comprehensive test coverage (26 tests) validating cache behavior across various scenarios

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
sdk/identity/Azure.Identity/src/ConfigurableCredentialCache.cs New internal cache class with SHA256-based key generation from configuration sections
sdk/identity/Azure.Identity/src/ConfigurationExtensions.cs Added ConditionalWeakTable-based cache lookup in WithAzureCredential DI overload
sdk/identity/Azure.Identity/tests/ConfigurableCredentials/ConfigurableCredentialCacheTests.cs Unit tests for cache key generation logic (10 tests)
sdk/identity/Azure.Identity/tests/ConfigurableCredentials/WithAzureCredentialTests.cs Integration tests for full DI pipeline credential reuse (16 tests)
sdk/identity/Azure.Identity/tests/Azure.Identity.Tests.csproj Added Microsoft.Extensions.Hosting package reference for tests

christothes
christothes reviewed Feb 13, 2026
View reviewed changes
christothes
christothes reviewed Feb 13, 2026
View reviewed changes
@github-project-automation github-project-automation bot moved this from Untriaged to In Progress in Azure Identity SDK Improvements Feb 13, 2026
@m-nash m-nash enabled auto-merge (squash) February 13, 2026 20:33
@m-nash m-nash merged commit 714fd53 into main Feb 13, 2026
22 checks passed
@m-nash m-nash deleted the credential-reuse-56231 branch February 13, 2026 20:41
@github-project-automation github-project-automation bot moved this from In Progress to Done in Azure Identity SDK Improvements Feb 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jsquire jsquire jsquire approved these changes

@christothes christothes christothes approved these changes

@JonathanCrd JonathanCrd Awaiting requested review from JonathanCrd JonathanCrd is a code owner

@joshfree joshfree Awaiting requested review from joshfree joshfree is a code owner automatically assigned from Azure/azure-sdk-write-identity

@pvaneck pvaneck Awaiting requested review from pvaneck pvaneck is a code owner automatically assigned from Azure/azure-sdk-write-identity

@g2vinay g2vinay Awaiting requested review from g2vinay g2vinay is a code owner automatically assigned from Azure/azure-sdk-write-identity

@KarishmaGhiya KarishmaGhiya Awaiting requested review from KarishmaGhiya KarishmaGhiya is a code owner automatically assigned from Azure/azure-sdk-write-identity

@minhanh-phan minhanh-phan Awaiting requested review from minhanh-phan minhanh-phan is a code owner automatically assigned from Azure/azure-sdk-write-identity

Assignees

No one assigned

Labels

Azure.Identity

Projects

Azure Identity SDK Improvements
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support credential instance reuse in client configuration

4 participants

@m-nash @jsquire @christothes