Skip to content

Fix proactive token refresh bypassing cancellation, leading to unbounded semaphore wait #6054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bgavrilMS merged 1 commit into from
Jun 10, 2026
Merged

Fix proactive token refresh bypassing cancellation, leading to unbounded semaphore wait #6054

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions src/client/Microsoft.Identity.Client/Internal/Requests/ClientCredentialRequest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,11 +96,14 @@ protected override async Task<AuthenticationResult> ExecuteAsync(CancellationTok

SilentRequestHelper.ProcessFetchInBackground(
cachedAccessTokenItem,
() =>
async () =>
{
// Use a linked token source, in case the original cancellation token source is disposed before this background task completes.
// IMPORTANT: The lambda must be async and await the inner call. Without async/await, `using var` disposes the linked CTS
// before the async operation completes, breaking cancellation propagation and causing unbounded SemaphoreSlim convoy.
// See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/6053
using var tokenSource = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
return GetAccessTokenAsync(tokenSource.Token, logger);
return await GetAccessTokenAsync(tokenSource.Token, logger).ConfigureAwait(false);
}, logger, ServiceBundle, AuthenticationRequestParameters.RequestContext.ApiEvent,
AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkApiId,
AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkVersion);
Expand Down
7 changes: 5 additions & 2 deletions src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,11 +123,14 @@ protected override async Task<AuthenticationResult> ExecuteAsync(CancellationTok

SilentRequestHelper.ProcessFetchInBackground(
cachedAccessTokenItem,
() =>
async () =>
{
// Use a linked token source, in case the original cancellation token source is disposed before this background task completes.
// IMPORTANT: The lambda must be async and await the inner call. Without async/await, `using var` disposes the linked CTS
// before the async operation completes, breaking cancellation propagation and causing unbounded SemaphoreSlim convoy.
// See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/6053
using var tokenSource = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
return GetAccessTokenAsync(tokenSource.Token, logger);
return await GetAccessTokenAsync(tokenSource.Token, logger).ConfigureAwait(false);
}, logger, ServiceBundle, AuthenticationRequestParameters.RequestContext.ApiEvent,
AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkApiId,
AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkVersion);
Expand Down
7 changes: 5 additions & 2 deletions src/client/Microsoft.Identity.Client/Internal/Requests/OnBehalfOfRequest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,11 +155,14 @@ protected override async Task<AuthenticationResult> ExecuteAsync(CancellationTok

SilentRequestHelper.ProcessFetchInBackground(
cachedAccessToken,
() =>
async () =>
{
// Use a linked token source, in case the original cancellation token source is disposed before this background task completes.
// IMPORTANT: The lambda must be async and await the inner call. Without async/await, `using var` disposes the linked CTS
// before the async operation completes, breaking cancellation propagation and causing unbounded SemaphoreSlim convoy.
// See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/6053
using var tokenSource = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
return RefreshRtOrFetchNewAccessTokenAsync(tokenSource.Token);
return await RefreshRtOrFetchNewAccessTokenAsync(tokenSource.Token).ConfigureAwait(false);
}, logger, ServiceBundle, AuthenticationRequestParameters.RequestContext.ApiEvent,
AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkApiId,
AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkVersion);
Expand Down
7 changes: 5 additions & 2 deletions src/client/Microsoft.Identity.Client/Internal/Requests/Silent/CacheSilentStrategy.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,11 +106,14 @@ public async Task<AuthenticationResult> ExecuteAsync(CancellationToken cancellat

SilentRequestHelper.ProcessFetchInBackground(
cachedAccessTokenItem,
() =>
async () =>
{
// Use a linked token source, in case the original cancellation token source is disposed before this background task completes.
// IMPORTANT: The lambda must be async and await the inner call. Without async/await, `using var` disposes the linked CTS
// before the async operation completes, breaking cancellation propagation and causing unbounded SemaphoreSlim convoy.
// See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/6053
using var tokenSource = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
return RefreshRtOrFailAsync(tokenSource.Token);
return await RefreshRtOrFailAsync(tokenSource.Token).ConfigureAwait(false);
}, logger, ServiceBundle, AuthenticationRequestParameters.RequestContext.ApiEvent,
Comment thread
jayesh-a-shah marked this conversation as resolved.
AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkApiId,
AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkVersion);
Expand Down
Loading