disable token cache for service principal (#20336)

isra-fel · Nickcandy · msJinLei · web-flow · commit 44b808517e54 · 2022-12-01T14:32:41.000+08:00
Co-authored-by: NanxiangLiu &lt;33285578+Nickcandy@users.noreply.github.com&gt;
Co-authored-by: Jin Lei &lt;54836179+msJinLei@users.noreply.github.com&gt;
diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md
@@ -19,9 +19,7 @@
 -->
 
 ## Upcoming Release
-* Enabled caching tokens when logging in with a service principal or client assertion. [#20013]
-    - This could reduce extra network traffic and improve performance.
-    - It also fixed the incorrectly short lifespan of tokens.
+* Enabled caching tokens when logging in with a client assertion. This fixed the incorrectly short lifespan of tokens.
 * Upgraded target framework of Microsoft.Identity.Client to net461 [#20189]
 * Stored `ServicePrincipalSecret` and `CertificatePassword` into `AzKeyStore`.
 * Updated the reference of Azure PowerShell Common to 1.3.65-preview.
diff --git a/src/Accounts/Authenticators/ServicePrincipalAuthenticator.cs b/src/Accounts/Authenticators/ServicePrincipalAuthenticator.cs
@@ -43,12 +43,14 @@ public override Task<IAccessToken> Authenticate(AuthenticationParameters paramet
             var authority = spParameters.Environment.ActiveDirectoryAuthority;
 
             var requestContext = new TokenRequestContext(scopes);
-            var tokenCachePersistenceOptions = spParameters.TokenCacheProvider.GetTokenCachePersistenceOptions();
+            // var tokenCachePersistenceOptions = spParameters.TokenCacheProvider.GetTokenCachePersistenceOptions();
             AzureSession.Instance.TryGetComponent(nameof(AzureCredentialFactory), out AzureCredentialFactory azureCredentialFactory);
 
             var options = new ClientCertificateCredentialOptions()
             {
-                TokenCachePersistenceOptions = tokenCachePersistenceOptions, // allows MSAL to cache access tokens
+                // commented due to https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3218
+                // todo: investigate splitting user token cache and app token cache
+                // TokenCachePersistenceOptions = tokenCachePersistenceOptions, // allows MSAL to cache access tokens
                 AuthorityHost = new Uri(authority),
                 SendCertificateChain = spParameters.SendCertificateChain ?? default(bool)
             };
@@ -67,7 +69,7 @@ public override Task<IAccessToken> Authenticate(AuthenticationParameters paramet
                 //Service principal with secret
                 var csOptions = new ClientSecretCredentialOptions()
                 {
-                    TokenCachePersistenceOptions = tokenCachePersistenceOptions, // allows MSAL to cache access tokens
+                    // TokenCachePersistenceOptions = tokenCachePersistenceOptions, // allows MSAL to cache access tokens
                     AuthorityHost = new Uri(authority)
                 };
                 tokenCredential = azureCredentialFactory.CreateClientSecretCredential(tenantId, spParameters.ApplicationId, spParameters.Secret, csOptions);
