Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Creating two instances of DefaultAzureCredential causes requests using the credential to never complete #43796

Closed
amerjusupovic opened this issue Apr 30, 2024 · 3 comments · Fixed by #43825
Closed

[BUG] Creating two instances of DefaultAzureCredential causes requests using the credential to never complete #43796

amerjusupovic opened this issue Apr 30, 2024 · 3 comments · Fixed by #43825
Assignees
@christothes
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team

Comments

@amerjusupovic
Copy link
Member

amerjusupovic commented Apr 30, 2024
edited
Loading

Library name and version

Azure.Identity 1.11.0

Describe the bug

Calls to clients that accept TokenCredential as authentication will hang indefinitely, like SecretClient.GetSecretAsync. This only happens when creating multiple instances of DefaultAzureCredential the exact same way, using the same constructor and same parameters but passing each one to separate clients that accept TokenCredential.

Expected behavior

Using multiple identical instances of DefaultAzureCredential will work the same with any client that accepts a TokenCredential parameter for authentication regardless of call order/where the credentials are created.

Actual behavior

Creating multiple identical instances of DefaultAzureCredential and passing them to multiple clients that accept TokenCredential for authentication will result in only the first client being able to resolve requests successfully.

Reproduction Steps

            var cred1 = new DefaultAzureCredential();

            var client1 = new SecretClient(new Uri("https://vaultname.vault.azure.net/"), cred1);
            KeyVaultSecret secret = await client1.GetSecretAsync("message").ConfigureAwait(false);
 
            var cred2 = new DefaultAzureCredential();

            var client2 = new SecretClient(new Uri("https://vaultname.vault.azure.net/"), cred2);
            secret = await client2.GetSecretAsync("message").ConfigureAwait(false);

The last line never completes. However, by changing either one of the credentials to pass in new DefaultAzureCredentialOptions(), the last line will now resolve successfully.

            var cred1 = new DefaultAzureCredential();

            var client1 = new SecretClient(new Uri("https://vaultname.vault.azure.net/"), cred1);
            KeyVaultSecret secret = await client1.GetSecretAsync("message").ConfigureAwait(false);
 
            var cred2 = new DefaultAzureCredential(new DefaultAzureCredentialOptions());

            var client2 = new SecretClient(new Uri("https://vaultname.vault.azure.net/"), cred2);
            secret = await client2.GetSecretAsync("message").ConfigureAwait(false);

This also happens even if different clients are used, like if the first client that's passed a TokenCredential is ConfigurationClient and the second is SecretClient.

Environment

.NET SDK:
Version: 8.0.204
Commit: c338c7548c
Workload version: 8.0.200-manifests.7d36c14f

Runtime Environment:
OS Name: Windows
OS Version: 10.0.22621
OS Platform: Windows
RID: win-x64
Base Path: C:\Program Files\dotnet\sdk\8.0.204\
@github-actions github-actions bot added Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Apr 30, 2024
@github-actions GitHub Actions
Copy link

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@amerjusupovic amerjusupovic mentioned this issue Apr 30, 2024
Closed
@amerjusupovic amerjusupovic changed the title [BUG] Creating two instances of DefaultAzureCredential causes SecretClient.GetSecretAsync() to never complete [BUG] Creating two instances of DefaultAzureCredential causes requests using the credential to never complete Apr 30, 2024
@christothes
Copy link
Member

Hi @amerjusupovic
The second call does return, however it is spending longer attempting to retry the attempts to detect whether the IMDS managed identity endpoint is available. This behavior is a regression from a recent change we made to improve the retry delays of the first attempt to select the credential from the DefaultAzureCredential chain.

We will publish a fix soon. However, even after this is fixed it is a best practice to use a singleton credential instance if there are no differences between how they are configured.

@amerjusupovic
Copy link
Member Author

Thanks for the explanation! I had only tested it with a timeout of 100 seconds so I suppose it would've just taken longer. We'll make sure to recommend using a single credential instance for the app config provider.

@christothes christothes mentioned this issue May 2, 2024
Merged
@github-project-automation github-project-automation bot moved this from Untriaged to Done in Azure Identity SDK Improvements May 3, 2024
@yaroslavlsd yaroslavlsd mentioned this issue Jul 29, 2024
Closed
@github-actions github-actions bot locked and limited conversation to collaborators Aug 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@christothes christothes

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team
Projects
Azure Identity SDK Improvements
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

DAC remains in probe request mode until first response christothes/azure-sdk-for-net
2 participants
@christothes @amerjusupovic