Document caching strategy for Managed Identity v2 #5526
Conversation
Added detailed caching strategy and resilience plan for Managed Identity v2, including problem identification, proposed solutions, call sequence, cache renewal matrix, invalidation rules, and security considerations.
docs/msi_v2/caching_strategy.md
Outdated
| --- | ||
|
|
||
| ## Solution (What’s Changing) | ||
| 1. **Probe once** (link-local) to detect **MSI v2** → cache result **in-proc**. |
There was a problem hiding this comment.
just the local endpoint
docs/msi_v2/caching_strategy.md
Outdated
|
|
||
| ## Solution (What’s Changing) | ||
| 1. **Probe once** (link-local) to detect **MSI v2** → cache result **in-proc**. | ||
| 2. Treat the **binding certificate** (from IMDS `/issuecredential`) as the **primary anchor** (~7-day validity); use it to get ATs. |
There was a problem hiding this comment.
What does it mean "treat as primary anchor". Pls use more precise wording.
docs/msi_v2/caching_strategy.md
Outdated
|
|
||
| ## Solution (What’s Changing) | ||
| 1. **Probe once** (link-local) to detect **MSI v2** → cache result **in-proc**. | ||
| 2. Treat the **binding certificate** (from IMDS `/issuecredential`) as the **primary anchor** (~7-day validity); use it to get ATs. |
There was a problem hiding this comment.
We should not hardcode any expirations. We rely on services returning expirations.
docs/msi_v2/caching_strategy.md
Outdated
| ## Solution (What’s Changing) | ||
| 1. **Probe once** (link-local) to detect **MSI v2** → cache result **in-proc**. | ||
| 2. Treat the **binding certificate** (from IMDS `/issuecredential`) as the **primary anchor** (~7-day validity); use it to get ATs. | ||
| 3. **Proactive renewal at half-life (+ small jitter)** to rotate well before expiry. |
There was a problem hiding this comment.
Pls be precise. Specify:
- jitter (e.g. 5 min)
- if renewal should happen on front-end or back-end thread. I think front-end.
There was a problem hiding this comment.
How is jitter calculated? Is it randomized per host/process or globally coordinated? Could jitter introduce any unintended renewal delays?
docs/msi_v2/caching_strategy.md
Outdated
| 1. **Probe once** (link-local) to detect **MSI v2** → cache result **in-proc**. | ||
| 2. Treat the **binding certificate** (from IMDS `/issuecredential`) as the **primary anchor** (~7-day validity); use it to get ATs. | ||
| 3. **Proactive renewal at half-life (+ small jitter)** to rotate well before expiry. | ||
| 4. **Single-writer coordination** so only one process issues/renews; others reuse the same cert. |
There was a problem hiding this comment.
If you want cross-process coordination, please specify the IPC that is going to be used. This needs to exist on Windows and Linux and it needs to be available in sanctioned libraries across all supported MSAL languages.
There was a problem hiding this comment.
How is the ‘single-writer’ selected? Is this a file lock, named mutex, or other mechanism? What happens if the single-writer crashes mid-renewal?
There was a problem hiding this comment.
Yes, this is cross‑process (shared file + shared cert store),
docs/msi_v2/caching_strategy.md
Outdated
| 2. Treat the **binding certificate** (from IMDS `/issuecredential`) as the **primary anchor** (~7-day validity); use it to get ATs. | ||
| 3. **Proactive renewal at half-life (+ small jitter)** to rotate well before expiry. | ||
| 4. **Single-writer coordination** so only one process issues/renews; others reuse the same cert. | ||
| 5. **MAA token** is used **only** for issuance/renewal; short-lived cache to prevent attestations calls. |
There was a problem hiding this comment.
Not enough precision. What does it mean "short-lived" cache?
There was a problem hiding this comment.
What’s the cache invalidation logic if a policy or key rotation occurs on the MAA side? Is there a way to force re-attestation?
There was a problem hiding this comment.
Not enough precision. What does it mean "short-lived" cache?
Added details to it
What’s the cache invalidation logic if a policy or key rotation occurs on the MAA side? Is there a way to force re-attestation?
MSAL creates the key, and sends to MAA for attestation.
docs/msi_v2/caching_strategy.md
Outdated
| ``` | ||
| Call 0 (local): Probe IMDS v2 → cache MSI source (V2/V1) | ||
| 1 (local): Create KeyGuard key (per reboot) | ||
| 2 (external): Get MAA token // only for (re)issuing cert |
There was a problem hiding this comment.
what is local and what is external ?
There was a problem hiding this comment.
local is IMDS endpoints (link-local) or local to the machine. external is ESTS/MAA, in this case.
docs/msi_v2/caching_strategy.md
Outdated
| | Item | Scope | Where | TTL | Notes | | ||
| |---|---|---|---|---| | ||
| | **MSI v2 probe result** | Per process | In-proc static | Process lifetime | NO changes needed here | | ||
| | **MAA token** | Per **keyHandle** | small file cache | ≤ JWT `exp` (~8h) | Only for cert issuance; evict on reboot/policy change/attest fail; refresh half-life + jitter | |
There was a problem hiding this comment.
How are you going to deal with atomicity, multiple file writers, and a process that gets killed in the middle of a write?
There was a problem hiding this comment.
Updated the MAA token row
Robbie-Microsoft
left a comment
Robbie-Microsoft
left a comment
There was a problem hiding this comment.
- For each cache and renewal step, document what happens if the cache is missing, invalid, or corrupted.
- Outline (even briefly) the implementation details of the single-writer system.
docs/msi_v2/caching_strategy.md
Outdated
| # Managed Identity v2 (Attested TB) — Resilience & Caching Plan | ||
|
|
||
| ## TL;DR | ||
| We reduce cold-start latency and dependency risk for MSI v2 by caching safe, long-lived artifacts, coordinating renewal across processes, and keeping the hot path in memory. **MAA is used only to (re)issue the binding certificate**; bound AT acquisition relies on that cert. Result: fewer failures, less churn, smoother CX. |
There was a problem hiding this comment.
What’s the fallback if the binding cert is lost or corrupted? Is there any emergency recovery path?
docs/msi_v2/caching_strategy.md
Outdated
| ## Solution (What’s Changing) | ||
| 1. **Probe once** (link-local) to detect **MSI v2** → cache result **in-proc**. | ||
| 2. Treat the **binding certificate** (from IMDS `/issuecredential`) as the **primary anchor** (~7-day validity); use it to get ATs. | ||
| 3. **Proactive renewal at half-life (+ small jitter)** to rotate well before expiry. |
There was a problem hiding this comment.
How is jitter calculated? Is it randomized per host/process or globally coordinated? Could jitter introduce any unintended renewal delays?
docs/msi_v2/caching_strategy.md
Outdated
| 1. **Probe once** (link-local) to detect **MSI v2** → cache result **in-proc**. | ||
| 2. Treat the **binding certificate** (from IMDS `/issuecredential`) as the **primary anchor** (~7-day validity); use it to get ATs. | ||
| 3. **Proactive renewal at half-life (+ small jitter)** to rotate well before expiry. | ||
| 4. **Single-writer coordination** so only one process issues/renews; others reuse the same cert. |
There was a problem hiding this comment.
How is the ‘single-writer’ selected? Is this a file lock, named mutex, or other mechanism? What happens if the single-writer crashes mid-renewal?
docs/msi_v2/caching_strategy.md
Outdated
| 2. Treat the **binding certificate** (from IMDS `/issuecredential`) as the **primary anchor** (~7-day validity); use it to get ATs. | ||
| 3. **Proactive renewal at half-life (+ small jitter)** to rotate well before expiry. | ||
| 4. **Single-writer coordination** so only one process issues/renews; others reuse the same cert. | ||
| 5. **MAA token** is used **only** for issuance/renewal; short-lived cache to prevent attestations calls. |
There was a problem hiding this comment.
What’s the cache invalidation logic if a policy or key rotation occurs on the MAA side? Is there a way to force re-attestation?
docs/msi_v2/caching_strategy.md
Outdated
| ``` | ||
| Call 0 (local): Probe IMDS v2 → cache MSI source (V2/V1) | ||
| 1 (local): Create KeyGuard key (per reboot) | ||
| 2 (external): Get MAA token // only for (re)issuing cert |
There was a problem hiding this comment.
Are there retries or backoff strategies if the MAA call fails? Is exponential backoff used or is it a fixed retry policy?
There was a problem hiding this comment.
updated details please check
docs/msi_v2/caching_strategy.md
Outdated
| | Item | Scope | Where | TTL | Notes | | ||
| |---|---|---|---|---| | ||
| | **MSI v2 probe result** | Per process | In-proc static | Process lifetime | NO changes needed here | | ||
| | **MAA token** | Per **keyHandle** | small file cache | ≤ JWT `exp` (~8h) | Only for cert issuance; evict on reboot/policy change/attest fail; refresh half-life + jitter | |
There was a problem hiding this comment.
How are policy changes detected? Is it polled, pushed, or inferred from failures?
There was a problem hiding this comment.
We don’t poll.
We don’t get a push.
We infer from failures: when MAA/IMDS/eSTS return specific attestation/policy/key errors, we treat that as “policy changed, invalidate cache and re‑attest”.
docs/msi_v2/caching_strategy.md
Outdated
| |---|---|---|---|---| | ||
| | **MSI v2 probe result** | Per process | In-proc static | Process lifetime | NO changes needed here | | ||
| | **MAA token** | Per **keyHandle** | small file cache | ≤ JWT `exp` (~8h) | Only for cert issuance; evict on reboot/policy change/attest fail; refresh half-life + jitter | | ||
| | **Binding cert + `/issuecredential` metadata** | Per **Managed Identity per user context** | Persisted (Win: `CurrentUser\My`; Linux: protected file/PEM) | ~7 days | Renew at **half-life + jitter**; Serialize issuance | |
There was a problem hiding this comment.
What protects against file corruption or unauthorized access on Linux? Is there a fallback if the file is deleted outside of MSAL?
There was a problem hiding this comment.
There’s no MAA on Linux, so the only persisted artifact there is the binding cert + metadata.
There was a problem hiding this comment.
if that file is deleted or corrupted outside MSAL, the next read fails validation and we just treat it as a cache miss
docs/msi_v2/caching_strategy.md
Outdated
| | **MSI v2 probe result** | Per process | In-proc static | Process lifetime | NO changes needed here | | ||
| | **MAA token** | Per **keyHandle** | small file cache | ≤ JWT `exp` (~8h) | Only for cert issuance; evict on reboot/policy change/attest fail; refresh half-life + jitter | | ||
| | **Binding cert + `/issuecredential` metadata** | Per **Managed Identity per user context** | Persisted (Win: `CurrentUser\My`; Linux: protected file/PEM) | ~7 days | Renew at **half-life + jitter**; Serialize issuance | | ||
| | **Access tokens (`bearer` or `mtls_pop`)** | Per audience | In memory | Service-configured | Reacquire after reboot (new key) | |
There was a problem hiding this comment.
Are there scenarios where token invalidation lags behind key rotation? How does the system ensure that stale tokens aren’t accidentally reused?
There was a problem hiding this comment.
not sure, I understand this. When do we rotate keys?
docs/msi_v2/caching_strategy.md
Outdated
| ## Invalidation Rules | ||
| - **Reboot** → Use **persisted binding cert** to fetch new ATs; re-attest on first demand on service failure. | ||
| - **Cert expiry** → re-issue. | ||
| - **MAA token expired** → re-attest and re-issue. |
There was a problem hiding this comment.
Are there built-in safeguards to prevent a thundering herd if all processes notice expiry at the same time?
docs/msi_v2/caching_strategy.md
Outdated
|
|
||
| ## Why This Improves CX | ||
| - **MAA is out of the hot path**—steady-state calls rely on a **multi-day binding cert**. | ||
| - Different identities on the same VM, uses **cached MAA token** |
There was a problem hiding this comment.
Is the cache not keyed per identity?
Updated the caching strategy for MSI v2 to enhance resilience and reduce cold-start latency. Key changes include improved certificate renewal processes and better caching mechanisms.
Added detailed caching strategy and resilience plan for Managed Identity v2, including problem identification, proposed solutions, call sequence, cache renewal matrix, invalidation rules, and security considerations.