azure-sdk-for-net
azure-sdk-for-net copied to clipboard
Azure
[QUERY] Can I use Azure.Identity with WindowsAzure.Storage?
Library name and version
Azure Identity 1.8.0
Query/Question
I wonder if it's reliable to use an access token retrieved by Azure.Identity with the old Azure Storage client (CloudStorageAccount found in package WindowsAzure.Storage).
In the migration guidance for App Authentication -> Azure Identity, it says:
If you have an existing application that uses AppAuthentication and want to use Azure.Identity, the preferred path is to update your application to use the new Azure client SDKs that support accepting TokenCredentials.
We have a huge application and upgrading Azure Identity and Azure Storage client SDK at the same time would be a too big risk, so I'm looking for alternative migration paths where it can be done more incrementally. I have written a small test application which retrieve an authentication token using Azure Identity and it seems to work fine to pass it to WindowsAzure.Storage client.
I create an access token using Azure.Identity like this:
static async Task<AccessToken> GetAccessToken()
{
var resourceId = "https://storage.azure.com/";
// Request access token via interactive browser
var browserCredential = new InteractiveBrowserCredential();
var accessToken = await browserCredential.GetTokenAsync(
new TokenRequestContext(scopes: new string[] { resourceId + "/.default" }) { }
);
return accessToken;
}
... and then I pass it into the Azure Storage client, roughly like this:
var accessToken = await GetAccessToken();
var tokenCredential = new TokenCredential(accessToken.Token, RenewToken, null, (accessToken.ExpiresOn - DateTimeOffset.UtcNow).Add(-TimeSpan.FromMinutes(5)));
var storageCredentials = new StorageCredentials(tokenCredential);
var account = new CloudStorageAccount(storageCredentials, "<my-storage-account>", "core.windows.net", true);
It looks like it's working fine. The token is retireved, I can access storage resources and the token is renewed properly before expiration. I have run tests both using InteractiveBrowserCredential and ClientCertificateCredential and both seems to be working fine.
So what I am wondering is if there's something risky/bad with this approach?
One specific concern I have is whether the TokenCredential class in WindowsAzure.Storage is thread safe - can it be passed into multiple instances of StorageCredentials on different threads, or would I need to request a new authentication token every time i create a new CloudStorageAccount (something which would be very very slow)? Looking at the https://github.com/Azure/azure-storage-net/blob/v9.3/Lib/Common/Auth/TokenCredential.cs, it looks like I could create a single TokenCredential at startup and then re-use in multiple ´StorageCredentialspassed toCloudStorageAccounts`, but it does not appear to be documented as thread safe. (I can't imagine that the design was that each thread needs to perform authentication against Azure AD on it's own)
Environment
.NET Framework 4.8
Thank you for your feedback. Tagging and routing to the team member best able to assist. Please expect delayed responses due to the US holidays.
Hi @nitramavfank - The code you are referring to is deprecated so I'm afraid I can't say for sure whether you'll have any threading issues. The newer Azure.Storage.* and Azure.Idenity SDKs which are currently supported and built out of this repo are thread safe.
Hi @nitramavfank. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.
Hi @nitramavfank, since you haven’t asked that we “/unresolve” the issue, we’ll close this out. If you believe further discussion is needed, please add a comment “/unresolve” to reopen the issue.