PowerPlatform-DataverseServiceClient icon indicating copy to clipboard operation
PowerPlatform-DataverseServiceClient copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Do not refresh the access token in the CurrentAccessToken property

Open 0xced opened this issue 3 years ago • 3 comments

The property is documented to "return the current access token" but actually refreshes the token if it's expired, with sync over async code, which is bad.

This commit simply returns the current access token if it's available.

0xced avatar Mar 16 '22 19:03 0xced

@0xced Its necessary to refresh this token on request when expired.

The underlying refresh mechanism is fully Async as driven by MSAL, which we cannot alter, nor would we want to alter given the way in which MSAL deals with this. The External Authentication pattern is also setup as Async to support the downstream

That said, we would be willing to explore a sync return where the token management is onboard and the token is not expired and only rolling to the Async mechanism when a refresh is needed. The downside of that is that our client then has to make the decision as to whether a token is expired, which is what its doing right now. This has been called out by our internal security team as a problem based on updated token security protocols and we are discussing removing that feature in the client. This is a Pref vs Security conversation right now.

Are you seeing an issue currently that is driving this?
CurrentAccessToken is used only during clone today. Or are you trying to directly access it?

MattB-msft avatar Mar 16 '22 23:03 MattB-msft

Its necessary to refresh this token on request when expired.

Refreshing is necessary when performing HTTP requests that must include a valid bearer token, but when accessing a property I'm expecting that zero network calls are made under the hood. A GetAccessTokenAsync(CancellationToken cancellationToken) would be more appropriate.

Are you seeing an issue currently that is driving this? CurrentAccessToken is used only during clone today. Or are you trying to directly access it?

I'm accessing it for debugging purpose only but to reiterate, sync over async code is bad and should be avoided.

Also, all the ServiceClient constructors are performing plenty of network requests and this is bad design in my opinion. But I should probably open another issue to discuss the constructors specifically.

0xced avatar Mar 18 '22 22:03 0xced

Happy to chat through it, I would suggest doing it on the discussion board.

As we said in the release notes are are introducing a new, more di/delayed invocation friendly, constructor that will eventually subsume the existing constructors. This will allow for the deferred execution of the client setup leg.

MattB-msft avatar Mar 19 '22 17:03 MattB-msft

Actually I think we could have both:

  • public string CurrentAccessToken { get; }
  • public Task RefreshAccessTokenAsync(CancellationToken cancellationToken);

Did you get a chance to discuss the matter?

0xced avatar Oct 13 '22 20:10 0xced

We accepted a variation of this change as we dropped .net core 3.1 support.. this has been updated into 1.1.9's release

MattB-msft avatar Jun 09 '23 00:06 MattB-msft

Could you please elaborate a little bit on exactly what is this variation?

0xced avatar Jul 06 '23 08:07 0xced