azure-workload-identity icon indicating copy to clipboard operation
azure-workload-identity copied to clipboard
verified publisher icon Azure

Workload identity golang api support force refresh token

Open Calotte opened this issue 9 months ago • 2 comments

Is your feature request related to a problem? Please describe. We want to use workload identity to access azure managed redis, as we know, the token have an expired time 24h, to avoid the redis client lost permission when token expired we setup an auto refresh routine which will refresh the token before 5min expired time, however, when we call GetToken function the token we get still the expiring one. Related code is:

cred, err := azidentity.NewWorkloadIdentityCredential(&azidentity.WorkloadIdentityCredentialOptions{
		ClientID: clientID,
	})
	if err != nil {
		return nil, fmt.Errorf("failed to create workload identity credential: %w", err)
	}
	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
	defer cancel()
	token, err := cred.GetToken(ctx, policy.TokenRequestOptions{
		Scopes: []string{scope},
	})
	if err != nil {
		logger.Errorf("failed to get token, error: %v", err)
		return nil, err
	}
	expiry := time.Unix(token.ExpiresOn.Unix(), 0).Add(-5 * time.Minute)


For auto refresh routine, we will call the following to get token and re auth redis client:
token, err := cred.GetToken(ctx, policy.TokenRequestOptions{
			Scopes: []string{scope},
		})

Describe the solution you'd like It seems before expiring, the token returned is still the old one which would be expired in 5mins, it maybe a cache in local. Could the GetToken allow pass an option that force acquiring a new token?

Describe alternatives you've considered

Additional context

Calotte avatar Mar 28 '25 06:03 Calotte

@chlowell is the owner for the azidentity golang SDK.

@Calotte please open an issue here for SDK related questions.

aramase avatar Mar 31 '25 16:03 aramase

Could the GetToken allow pass an option that force acquiring a new token?

The Azure SDK won't add an option like this because it couldn't work consistently. It would often have no effect because Azure SDK credentials are usually surrounded by external caches they don't control.

Currently the Azure SDK refreshes a token when it has less than 5 minutes of validity left, however it will soon observe the refresh_in time, if any, specified by the authority. That might address your need, if AKS workload identity specifies this value (I don't know whether it does)

chlowell avatar Mar 31 '25 21:03 chlowell

Per my reading of the SDK code, I believe this should work as desired. If it does not, then that would be an issue to open against the SDK repo.

enj avatar Aug 19 '25 20:08 enj