-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ClientCredentials: Fixed bug where user-supplied cache is loaded into memory only after network request #6218
Conversation
…ing into the cache
Codecov ReportAttention: Patch coverage is
Additional details and impacted files
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added context for CacheManager
class in comments, please keep that in mind for future changes.
@Robbie-Microsoft @bgavrilMS @sameerag this issue pertains to other flows as well (especially public client auth code flow in relation to msal-node-extensions). It was being tracked here: #5502 For CCA, there's a non-trivial cost to hydrating the in memory cache with the persistent cache i.e. if the persistence layer is hosted on cloud or similar, each check will involve a network call (couple 100ms worst case -consider latency differences between a redis cache vs a sql db). It might be fine for client credentials but it could be a bottleneck for a resource server using OBO. Essentially the question is how often the in-memo cache should be hydrated before a token request, given that the in-memo cache is the single source of truth for msal. "Always" is probably the best wrt cache coherence in a horizontal scaling scenario, but worth discussing what other options might be viable for devs optimizing for perf. My 2 cents: perhaps it makes sense to have a cache policy configuration parameter for the cache field in msal-node configuration, with options like "check in-memo cache first, then persistence if needed", "check persistence first, then in-memo cache" and etc.. |
I would expect it to be something like - always check in-memory cache first, if not empty, return data, but if it's empty, check persistence cache. The issue now is if new CCA is created per request, the in-memory cache will always be empty (unless that workaround is used and getAccounts is called first), |
@pmaytak agreed, that would be the general approach (for PCA and CCA), but as you said, CCA will typically be a fresh instance and so, empty in-memory cache.. |
While working on the PR Extend proactive token refresh to client_credentials, I discovered a bug while manually testing the fix.
A user-supplied cache (provided as
cache: { cachePlugin }
in the configuration) is not loaded into memory until after a network request, inside of handleServerTokenResponse, inside of the ResponseHandler.We want to load the user-defined cache (if applicable) into memory BEFORE checking the in-memory-cache for existing tokens.
Without this fix, when a token is acquired in the client_credentials flow,
fromCache
will always be set to false, and a request will be sent over the network for a token.Question to others and follow-up: Does this bug exist in other flows?
Edit: looks like this PR will solve the problem described in msal-node's performance doc here. Looking at the code at the bottom of that page, the line directly above the acquireToken call:
await cca.getTokenCache().getAllAccounts(); // required for cache read