[BUG] ManagedIdentity.GetTokenAsync method does not handle cancellationtoken

[jonnybee]

Library name and version

Azure.Identity v1.13.x

Describe the bug

Since v1.13.0 release the GetTokenAsync method on ManagerdIdentity does not respect/handle cancellationToken and will only timeout after 100 seconds.

This worked just fine in older version (up to v1.12.1)

Expected behavior

The GetTokenAsync method should return a TaskCanceledException after the cancellationToken has requested cancellation as it did in v1.12.1 and older.

Actual behavior

When running with v1.13.x this will run for 100 seconds and return this message:

ManagedIdentityCredential authentication failed: Retry failed after 5 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy.
(A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (169.254.169.254:80))
(A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (169.254.169.254:80))
(A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (169.254.169.254:80))
(A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (169.254.169.254:80)) (The operation was canceled.)
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot

MsalServiceException•••Retry failed after 5 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy... | MsalServiceException••• |
Retry failed after 5 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy...
MsalServiceException
Retry failed after 5 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy..._

Reproduction Steps

var credential = new ManagedIdentityCredential();
var scopes = "api://52940e13-4781-4ef7-a380-01494c61b4b7";

var tokenRequestContext = new TokenRequestContext(scopes.Split(new []{','}, StringSplitOptions.RemoveEmptyEntries));

// so we will drop this down to 5 seconds 
var myCts = new CancellationTokenSource();
myCts.CancelAfter(5000);  // 5000ms = 5s
var token = await credential.GetTokenAsync(tokenRequestContext, myCts.Token);

Environment

.NET SDK:
Version: 9.0.100
Commit: 59db016f11
Workload version: 9.0.100-manifests.c6f19616
MSBuild version: 17.12.7+5b8665660

Runtime Environment:
OS Name: Windows
OS Version: 10.0.22631
OS Platform: Windows
RID: win-x64
Base Path: C:\Program Files\dotnet\sdk\9.0.100\

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[christothes]

Hi @jonnybee -
Thank you for reporting this issue. This does appear to be a bug related to a new code path where the cancellation token is not properly propagated. Until we have a fix published, you should be able to workaround this by providing a custom instance of the RetryPolicy to the credential options.

example:

var options = new TokenCredentialOptions()
{
    RetryPolicy = new RetryPolicy(0, DelayStrategy.CreateFixedDelayStrategy(TimeSpan.FromSeconds(5)))
};
var credential = new ManagedIdentityCredential(options: options);

Just out of curiosity, can you describe the scenario where you want a shorter cancellation for ManagedIdentityCredential?

The default behavior you are seeing now is meant to be as resilient as possible for production scenarios. Typically, if the intention is to use a managed identity you do not want to "fail fast".

However, DefaultAzureCredential was designed to work in a "fail fast" manner in development environments where you don't want to wait for a resilient retries for managed identity. It fails after only 1 second, by default and attempts no retries. More information can be found here.

[jonnybee]

Hi @christothes

The code is from internal custom ASP.NET Core middleware used for access control for API's running in either OnPrem or Azure.

When running in Azure the middleware will use Managed Indentity for authoriziation of the call to access control API, whereas the first call from services running OnPrem may (misconfigured) also try to get token from ManagedIdentity before shortcurcuiting to use an apikey on calls to access control API.

So it is more of a safe guard for misconfiguration that we use a timeout of 5 seconds for APIs running OnPrem. However after upgrading to Azure Identity v1.13.1 we experienced a 100 second timeout on the first call to try and get a token in some services when running OnPrem.