Java SDK - Azure Identity - should I handle DefaultAzureCredential's accessToken expiry?

Question

Hi,

I would like to know whether I should handle DefaultAzureCredential's accessToken expiry or is it handled by the SDK?
I use DefaultAzureCredential, as it works locally and also on cloud when ManagedIdentity is needed for authenticating to KeyVault.

I intend to deploy a function app to Azure Cloud, where I have the following static constructor of my class containing the functions:
static {
final DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();

        CertificateClient certificateClient = new CertificateClientBuilder()
                .vaultUrl(KEY_VAULT_URI)
                .credential(credential)
                .buildClient();

        SecretClient secretClient = new SecretClientBuilder()
                .vaultUrl(KEY_VAULT_URI)
                .credential(credential)
                .buildClient();

        service = new Service(certificateClient, secretClient);
    }

I would like to create the service only once with certificateClient and secretClient.
Then if accessToken expires, get new accessToken.
Question: Does Azure Java SDK handles accessToken & refreshToken expiry or is it my task to handle expiry?

Azure Identity dependency: version 1.3.6

Answer 1

Hi @ KristfNalesnyik-1870

TokenCredential is the interface for all the credential classes that provide the token.

If you are using GetToken() or GetTokenAync() method directly to get access token , then token caching and token refreshing is not supported by defaultAzureCredential. This need to be handle by caller in this case.

Reference - https://learn.microsoft.com/en-us/java/api/com.azure.core.credential.tokencredential?view=azure-java-stable

However, You can use BearerTokenAuthenticationPolicy to cache TokenCredential using HttpPipeline Policy.
or You can use MSAL library in place of Azure Identity that can get access token using Managed identity and manage caching and refresh token.