-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AzureCliCredential
parses an incorrect token expiry time in multi-threaded Unix applications
#1371
Comments
@cataggar, with the recent changes made to chrono, we might want to revisit our migration from Ref: https://github.com/chronotope/chrono/releases/tag/v0.4.30 |
I think it is best that the Azure CLI pass the unix timestamp along. |
My PR to pass the unix timestamp was replaced with Azure/azure-cli#27476 |
As indicated in Azure#1371, there are numerous issues with handling the az-cli's output of an access token's expiration date when it comes to time zones. An update to the Azure CLI is in progress that will add a _new_ field that will handle the conversion, currently tracked as Azure/azure-cli#27476. We should make use of this new feature once it's available, but we should also keep this functionality as a fallback for supporting older Azure CLIs.
As indicated in #1371, there are numerous issues with handling the az-cli's output of an access token's expiration date when it comes to time zones. An update to the Azure CLI is in progress that will add a _new_ field that will handle the conversion, currently tracked as Azure/azure-cli#27476. We should make use of this new feature once it's available, but we should also keep this functionality as a fallback for supporting older Azure CLIs.
This has been mitigated in 0.16.2, released earlier today. In the future, we should make use of the az-cli feature that was linked earlier if the functionality is available. For existing az-cli instances, we use |
Description
To get an access token,
AzureCliCredential
shells out toaz account get-access-token
and parses up theexpiresOn
string as a datetime value. Sinceaz
formats the datetime without a timezone offset, it assumes the offset withdate::assume_local()
.azure-sdk-for-rust/sdk/identity/src/token_credentials/azure_cli_credentials.rs
Lines 19 to 26 in f978185
date::assume_local()
delegates totime
's functionUtcOffset::current_local_offset()
.azure-sdk-for-rust/sdk/core/src/date/mod.rs
Lines 116 to 119 in f978185
For most Unix systems,
UtcOffset::current_local_offset()
will returnOk(offset)
for single-threaded applications, andErr(IndeterminateOffset)
for multi-threaded applications, as defined by this function.In my case, I am running my application on Ubuntu (WSL), and my application is multi-threaded. So this offset is always indeterminate.
(Aside: There's a whole conversation about thread-safety of accessing local time zone data, which is the reason why this behavior exists. If certain things change in the Rust ecosystem, then this problem may just resolve itself as simply as installing a new release of
time
.)Because the offset is indeterminate,
date::assume_local()
will default the expiry time to being in the UTC time zone, when it should be in my local (PDT) time zone. This is obviously incorrect behavior, because the expiry time is now hours off from the actual time it should represent.This can manifest as bugs further down the line, e.g. in
AutoRefreshingTokenCredential
where recently cached tokens are refreshed constantly because they are viewed as expired. Each token refresh adds consistent overhead to SDK calls. In particular, this led my calls through SDK clients to take approximately ~1.3s each rather than an expected ~90ms each when the token was only refreshed as needed.Workarounds/Solutions
set_soundness()
function provided bytime
. This requires some understanding of the thread-safety of your application and probably isn't worth the effort to do correctly.az account get-access-token
: Use epochexpiresOn
/expires_on
azure-cli#19700). If implemented, theAzureCliCredential
would just have to deserialize the epoch timestamp, circumventing the need to determine the system's local offset. However, I haven't seen much activity on this issue, so I'm not sure what the timelines are there.set_soundness()
in the SDK itself, but this is probably unsafe. Again, not recommended.Relevant Issues/PRs
az account get-access-token
: Use epochexpiresOn
/expires_on
azure-cli#19700az account get-access-token
: ShowexpiresOn
for managed identity azure-cli#20219localtime_r
may be unsound time-rs/time#293The text was updated successfully, but these errors were encountered: