InteractiveBrowserCredential() never caches; each run forces user to interact with browser

[rfernand2]

azure-identity==1.2.0
azure-keyvault==4.0.0

• Windows 10:
• Python 3.6.10:

Describe the bug
I am integrating the use of "InteractiveBrowserCredential()" into a command line app that needs to read some secrets from keyvault on every run. Each time the app is run, focus is shifted to the browser and user is forced to interact to select a login identity.

I expected that the user would only have to deal with this authentication UI occassionally (once a week?), but it happens every single run. How can I tell the authentication code to cache the credentials? Even better, how can I share the cached credentials of the Azure Portal website or the Azure CLI?

Thanks...

[chlowell]

InteractiveBrowserCredential caches in memory only. Making it more persistent is a high priority for me. I'll use this issue to track progress on that.

Integrating Azure CLI authentication into azure-identity is another high priority (tracked by #8566). I hope to have something ready for you to try soon, if only as a preview.

The identity signed in to the Azure Portal is available to InteractiveBrowserCredential provided both use the same browser. I think sharing the Portal's authentication more directly is infeasible: the necessary data is stored in a location dependent on OS, browser, and user; its format probably varies by browser; and it's likely encrypted.

[rfernand2]

OK, its good to know help is on the way. Thanks for being so responsive to these issues! Looking forward to trying out your progress...

[rfernand2]

@chlowell, is there a quick-fix I can add to my code to cache the credentials while I am waiting for the official fix from you? Thanks...

[chlowell]

I'm afraid there isn't a quick fix. We don't have a cache ready to bolt on, and InteractiveBrowserCredential doesn't expose its caching behavior for modification anyway.

[superhrusha]

@chlowell , I attempted to do it myself with keyring. Did not succeed (as the mentioned issue shows). Are you planning to do the same thing that is done in azure CLI (az login)

[rfernand2]

I just added a placeholder for my project (XT), while awaiting the official solution from your team. My project now runs a background process to hold the cached info I get upon the first authentication.

How does the azure CLI does their creds caching?

[chlowell]

In azure-identity 1.4.0b3, released today, InteractiveBrowserCredential has a new API enabling applications to persist authentication information across executions:

from azure.identity import InteractiveBrowserCredential

# this keyword argument enables caching to disk,
# currently only on Windows (Linux and macOS support coming soon)
credential = InteractiveBrowserCredential(enable_persistent_cache=True)

# call 'authenticate' to open a browser for the user to sign in...
record = credential.authenticate()

# ...or let a service client authenticate as needed, and retrieve the record later
record = credential.authentication_record

# the returned record contains no secrets, and serializes to JSON
record_json = record.serialize()
with open(RECORD_PATH, 'w') as f:
    f.write(record_json)

In a subsequent execution you can initialize the credential with the deserialized record, enabling it to use information cached previously:

from azure.identity import AuthenticationRecord, InteractiveBrowserCredential

with open(RECORD_PATH, 'r') as f:
    record_json = f.read()

deserialized_record = AuthenticationRecord.deserialize(record_json)
credential = InteractiveBrowserCredential(
    authentication_record=deserialized_record,
    enable_persistent_cache=True
)

Please open an issue if you encounter any problems using the new API. We'll add persistent caching on Linux and macOS in a future release (that work is tracked by #11134).