Add CacheCustomProviders property to CryptoProviderFactory#3489
Merged
Conversation
When enabled, SignatureProvider instances returned by ICryptoProvider.Create() are routed through the library's existing CryptoProviderCache. This avoids repeated provider creation and key materialisation on every signature validation when using a custom crypto provider. The property defaults to false to preserve existing behaviour. When true, the cache is checked after Create() returns (using the provider's actual type as the cache key), and the provider is added to the cache if not already present. On subsequent calls, the cached provider is returned directly. Also copies the new property in the CryptoProviderFactory copy constructor. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
Could we add some tests? And also some tests for the race conditions? |
MZOLN
reviewed
May 15, 2026
…m-providers # Conflicts: # src/Microsoft.IdentityModel.Tokens/PublicAPI/net10.0/PublicAPI.Unshipped.txt # src/Microsoft.IdentityModel.Tokens/PublicAPI/net462/PublicAPI.Unshipped.txt # src/Microsoft.IdentityModel.Tokens/PublicAPI/net472/PublicAPI.Unshipped.txt # src/Microsoft.IdentityModel.Tokens/PublicAPI/net6.0/PublicAPI.Unshipped.txt # src/Microsoft.IdentityModel.Tokens/PublicAPI/net8.0/PublicAPI.Unshipped.txt # src/Microsoft.IdentityModel.Tokens/PublicAPI/net9.0/PublicAPI.Unshipped.txt # src/Microsoft.IdentityModel.Tokens/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt
Merge origin/dev8x into cache-custom-providers branch. Resolve PublicAPI conflicts by keeping both sides and deduplicating. Add InternalAPI entries for new dev8x telemetry symbols. Add three tests for CacheCustomProviders: - WhenEnabled: verifies cached provider is reused (currently failing due to EventBasedLRUCache async TryAdd timing) - WhenDisabled: verifies Create called each time - WhenCacheSignatureProvidersDisabled: verifies master switch overrides Restructure caching to check cache before Create using a remembered provider type from previous calls, avoiding wasteful creation on cache hits. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The EventBasedLRUCache processes TryAdd asynchronously. The test now retries TryGetSignatureProvider with a polling pattern to account for the async event queue. Still investigating why the cache lookup never finds the provider even after waiting. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ForVerifying The SymmetricSignatureProvider(key, algorithm) constructor defaults to willCreateSignatures=true, which adds the provider to the signing cache. But CreateForVerifying looks in the verifying cache. Passing false aligns the provider with the verifying cache. Also removed debug assertions (no longer needed) and the async sleep workaround. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Verifies that 20 concurrent threads calling CreateForVerifying all receive the same cached SignatureProvider instance, and that Create is not called after the cache is warm. Uses a Barrier to synchronize thread start for maximum contention. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
westin-m
approved these changes
May 19, 2026
MZOLN
approved these changes
May 29, 2026
Contributor
|
@copilot resolve the merge conflicts in this pull request |
pmaytak
reviewed
May 29, 2026
Contributor
Resolved the merge conflicts and merged latest |
pmaytak
reviewed
May 29, 2026
cpp11nullptr
approved these changes
May 29, 2026
pmaytak
reviewed
May 29, 2026
pmaytak
reviewed
May 29, 2026
pmaytak
reviewed
May 29, 2026
pmaytak
approved these changes
Jun 1, 2026
cpp11nullptr
approved these changes
Jun 1, 2026
This was referenced Jun 2, 2026
Bump Microsoft.IdentityModel.JsonWebTokens from 8.18.0 to 8.19.0
Azure-Samples/azure-finops-agent#39
Open
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an opt-in property to enable caching of
SignatureProviderinstances returned byICryptoProvider.Create(). Currently, providers created by aCustomCryptoProviderbypass theCryptoProviderCacheentirely, meaning a new provider is created on every signature validation. This can be expensive when provider construction involves key materialisation or native resource allocation.New API
When set to
true(andCacheSignatureProvidersis alsotrue), theSignatureProviderreturned byICryptoProvider.Create()is routed through the existingCryptoProviderCache. Subsequent calls with the same key and algorithm return the cached provider, avoiding repeated construction.Behaviour
false): No change from current behaviour. Custom providers are created and released on every call.true: AfterCreate()returns aSignatureProvider, the cache is checked for an existing equivalent (handling concurrent creation races). If not cached, the provider is added viaTryAdd. On cache hit, the cached provider is returned and the duplicate is released.The cache key is
{KeyType}-{InternalId}-{Algorithm}-{ProviderType}, consistent with built-in providers.Race condition handling
When two threads concurrently create providers for the same key/algorithm:
Create()and get new provider instancesTryAddto cacheTryGetSignatureProvider, increments its ref count, releases the duplicate (Release()+ICryptoProvider.Release()), and returns the cached oneCopy constructor
The property is copied in
CryptoProviderFactory(CryptoProviderFactory other)to ensure it propagates correctly when the factory is cloned.No breaking changes
Existing behaviour is unchanged when
CacheCustomProvidersisfalse(the default). TheCustomCryptoProviderearly-return path inCreateSignatureProvideronly reaches the cache logic when the new property is explicitly enabled.