Cache tokens for service principal (#20193)

Author: isra-fel

src/Accounts/Accounts/ChangeLog.md

@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Enabled caching tokens when logging in with a service principal. This could reduce network traffic and improve performance.
 
 ## Version 2.10.3
 * Updated `Get-AzSubscription` to retrieve subscription by Id rather than listed all the subscriptions from server if subscription Id is provided. [#19115]

src/Accounts/Authentication.Test/AuthenticatorsTest/ServicePrincipalAuthenticatorTests.cs

@@ -71,7 +71,7 @@ public async Task ServicePrincipalSecretAuthenticationTest()
             //Setup
             var mockAzureCredentialFactory = new Mock<AzureCredentialFactory>();
             mockAzureCredentialFactory.Setup(f => f.CreateClientSecretCredential(
-                 It.IsAny<string>(), It.IsAny<string>(), It.IsAny<SecureString>(), It.IsAny<ClientCertificateCredentialOptions>())).Returns(() => new TokenCredentialMock());
+                 It.IsAny<string>(), It.IsAny<string>(), It.IsAny<SecureString>(), It.IsAny<ClientSecretCredentialOptions>())).Returns(() => new TokenCredentialMock());
 
             AzureSession.Instance.RegisterComponent(nameof(AzureCredentialFactory), () => mockAzureCredentialFactory.Object, true);
             InMemoryTokenCacheProvider cacheProvider = new InMemoryTokenCacheProvider();
@@ -101,7 +101,7 @@ public async Task ServicePrincipalSecretAuthenticationTest()
             var token = await authenticator.Authenticate(parameter);
 
             //Verify
-            mockAzureCredentialFactory.Verify(f => f.CreateClientSecretCredential(TestTenantId, accountId, securePassword, It.IsAny<ClientCertificateCredentialOptions>()), Times.Once());
+            mockAzureCredentialFactory.Verify(f => f.CreateClientSecretCredential(TestTenantId, accountId, securePassword, It.IsAny<ClientSecretCredentialOptions>()), Times.Once());
             Assert.Equal(fakeToken, token.AccessToken);
             Assert.Equal(TestTenantId, token.TenantId);
         }

src/Accounts/Authenticators/Factories/AzureCredentialFactory.cs

@@ -27,7 +27,7 @@ public virtual TokenCredential CreateManagedIdentityCredential(string clientId)
             return new ManagedIdentityCredential(clientId);
         }
 
-        public virtual TokenCredential CreateClientSecretCredential(string tenantId, string clientId, SecureString secret, ClientCertificateCredentialOptions options)
+        public virtual TokenCredential CreateClientSecretCredential(string tenantId, string clientId, SecureString secret, ClientSecretCredentialOptions options)
         {
             return new ClientSecretCredential(tenantId, clientId, secret.ConvertToString(), options);
         }

src/Accounts/Authenticators/ServicePrincipalAuthenticator.cs

@@ -30,7 +30,7 @@ public class ServicePrincipalAuthenticator : DelegatingAuthenticator
     {
         private const string AuthenticationFailedMessage = "No certificate thumbprint or secret provided for the given service principal '{0}'.";
 
-        //MSAL doesn't cache Service Principal into msal.cache
+        // MSAL doesn't cache the secret of Service Principal, but it caches access tokens
         public override Task<IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
         {
             var spParameters = parameters as ServicePrincipalParameters;
@@ -43,10 +43,12 @@ public override Task<IAccessToken> Authenticate(AuthenticationParameters paramet
             var authority = spParameters.Environment.ActiveDirectoryAuthority;
 
             var requestContext = new TokenRequestContext(scopes);
+            var tokenCachePersistenceOptions = spParameters.TokenCacheProvider.GetTokenCachePersistenceOptions();
             AzureSession.Instance.TryGetComponent(nameof(AzureCredentialFactory), out AzureCredentialFactory azureCredentialFactory);
 
             var options = new ClientCertificateCredentialOptions()
             {
+                TokenCachePersistenceOptions = tokenCachePersistenceOptions, // allows MSAL to cache access tokens
                 AuthorityHost = new Uri(authority),
                 SendCertificateChain = spParameters.SendCertificateChain ?? default(bool)
             };
@@ -63,10 +65,15 @@ public override Task<IAccessToken> Authenticate(AuthenticationParameters paramet
             else if (spParameters.Secret != null)
             {
                 //Service principal with secret
-                tokenCredential = azureCredentialFactory.CreateClientSecretCredential(tenantId, spParameters.ApplicationId, spParameters.Secret, options);
-                parametersLog = $"- ApplicationId:'{spParameters.ApplicationId}', TenantId:'{tenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{options.AuthorityHost}'";
+                var csOptions = new ClientSecretCredentialOptions()
+                {
+                    TokenCachePersistenceOptions = tokenCachePersistenceOptions, // allows MSAL to cache access tokens
+                    AuthorityHost = new Uri(authority)
+                };
+                tokenCredential = azureCredentialFactory.CreateClientSecretCredential(tenantId, spParameters.ApplicationId, spParameters.Secret, csOptions);
+                parametersLog = $"- ApplicationId:'{spParameters.ApplicationId}', TenantId:'{tenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{csOptions.AuthorityHost}'";
             }
-            else if(!string.IsNullOrEmpty(spParameters.CertificatePath))
+            else if (!string.IsNullOrEmpty(spParameters.CertificatePath))
             {
                 if (spParameters.CertificateSecret != null)
                 {
@@ -86,6 +93,7 @@ public override Task<IAccessToken> Authenticate(AuthenticationParameters paramet
             {
                 throw new MsalException(MsalError.AuthenticationFailed, string.Format(AuthenticationFailedMessage, clientId));
             }
+
             return MsalAccessToken.GetAccessTokenAsync(
                 nameof(ServicePrincipalAuthenticator),
                 parametersLog,