[Identity] Remove proactive refresh in for Managed Identity (Azure#25535)

KarishmaGhiya · web-flow · commit 338496a24638 · 2023-04-13T16:51:17.000-07:00
diff --git a/sdk/identity/identity/CHANGELOG.md b/sdk/identity/identity/CHANGELOG.md
@@ -4,7 +4,6 @@
 
 ### Features Added
 
-- Enabled proactive token refresh for Managed Identity.
 - Added configurable process timeout for dev-time credentials - `AzureCLI Credential`, `AzurePowershell Credential` and `AzureDeveloperCLI Credential`.
 
 ### Breaking Changes
diff --git a/sdk/identity/identity/src/client/identityClient.ts b/sdk/identity/identity/src/client/identityClient.ts
@@ -21,7 +21,6 @@ import { TokenCredentialOptions } from "../tokenCredentialOptions";
 import {
   TokenResponseParsedBody,
   parseExpirationTimestamp,
-  parseRefreshTimestamp,
 } from "../credentials/managedIdentityCredential/utils";
 
 const noCorrelationId = "noCorrelationId";
@@ -35,11 +34,6 @@ export interface TokenResponse {
    * The AccessToken to be returned from getToken.
    */
   accessToken: AccessToken;
-  /**
-   * The time in which the access token should be refreshed,
-   * specified in milliseconds, UNIX epoch time
-   */
-  refreshesIn?: number;
   /**
    * The refresh token if the 'offline_access' scope was used.
    */
@@ -124,7 +118,6 @@ export class IdentityClient extends ServiceClient implements INetworkModule {
           token: parsedBody.access_token,
           expiresOnTimestamp: parseExpirationTimestamp(parsedBody),
         },
-        refreshesIn: parseRefreshTimestamp(parsedBody),
         refreshToken: parsedBody.refresh_token,
       };
 
diff --git a/sdk/identity/identity/src/credentials/managedIdentityCredential/appServiceMsi2017.ts b/sdk/identity/identity/src/credentials/managedIdentityCredential/appServiceMsi2017.ts
@@ -98,9 +98,6 @@ export const appServiceMsi2017: MSI = {
       allowInsecureConnection: true,
     });
     const tokenResponse = await identityClient.sendTokenRequest(request);
-    return (
-      (tokenResponse && { ...tokenResponse.accessToken, refreshesOn: tokenResponse.refreshesIn }) ||
-      null
-    );
+    return (tokenResponse && tokenResponse.accessToken) || null;
   },
 };
diff --git a/sdk/identity/identity/src/credentials/managedIdentityCredential/appServiceMsi2019.ts b/sdk/identity/identity/src/credentials/managedIdentityCredential/appServiceMsi2019.ts
@@ -96,9 +96,6 @@ export const appServiceMsi2019: MSI = {
       allowInsecureConnection: true,
     });
     const tokenResponse = await identityClient.sendTokenRequest(request);
-    return (
-      (tokenResponse && { ...tokenResponse.accessToken, refreshesOn: tokenResponse.refreshesIn }) ||
-      null
-    );
+    return (tokenResponse && tokenResponse.accessToken) || null;
   },
 };
diff --git a/sdk/identity/identity/src/credentials/managedIdentityCredential/arcMsi.ts b/sdk/identity/identity/src/credentials/managedIdentityCredential/arcMsi.ts
@@ -164,9 +164,6 @@ export const arcMsi: MSI = {
       allowInsecureConnection: true,
     });
     const tokenResponse = await identityClient.sendTokenRequest(request);
-    return (
-      (tokenResponse && { ...tokenResponse.accessToken, refreshesOn: tokenResponse.refreshesIn }) ||
-      null
-    );
+    return (tokenResponse && tokenResponse.accessToken) || null;
   },
 };
diff --git a/sdk/identity/identity/src/credentials/managedIdentityCredential/cloudShellMsi.ts b/sdk/identity/identity/src/credentials/managedIdentityCredential/cloudShellMsi.ts
@@ -103,9 +103,6 @@ export const cloudShellMsi: MSI = {
       allowInsecureConnection: true,
     });
     const tokenResponse = await identityClient.sendTokenRequest(request);
-    return (
-      (tokenResponse && { ...tokenResponse.accessToken, refreshesOn: tokenResponse.refreshesIn }) ||
-      null
-    );
+    return (tokenResponse && tokenResponse.accessToken) || null;
   },
 };
diff --git a/sdk/identity/identity/src/credentials/managedIdentityCredential/fabricMsi.ts b/sdk/identity/identity/src/credentials/managedIdentityCredential/fabricMsi.ts
@@ -129,9 +129,6 @@ export const fabricMsi: MSI = {
     });
 
     const tokenResponse = await identityClient.sendTokenRequest(request);
-    return (
-      (tokenResponse && { ...tokenResponse.accessToken, refreshesOn: tokenResponse.refreshesIn }) ||
-      null
-    );
+    return (tokenResponse && tokenResponse.accessToken) || null;
   },
 };
diff --git a/sdk/identity/identity/src/credentials/managedIdentityCredential/imdsMsi.ts b/sdk/identity/identity/src/credentials/managedIdentityCredential/imdsMsi.ts
@@ -175,13 +175,7 @@ export const imdsMsi: MSI = {
         });
         const tokenResponse = await identityClient.sendTokenRequest(request);
 
-        return (
-          (tokenResponse && {
-            ...tokenResponse.accessToken,
-            refreshesOn: tokenResponse.refreshesIn,
-          }) ||
-          null
-        );
+        return (tokenResponse && tokenResponse.accessToken) || null;
       } catch (error: any) {
         if (error.statusCode === 404) {
           await delay(nextDelayInMs);
diff --git a/sdk/identity/identity/src/credentials/managedIdentityCredential/index.ts b/sdk/identity/identity/src/credentials/managedIdentityCredential/index.ts
@@ -264,13 +264,9 @@ export class ManagedIdentityCredential implements TokenCredential {
                   const expiresInSeconds = resultToken?.expiresOnTimestamp
                     ? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)
                     : 0;
-                  const refreshInSeconds = resultToken?.refreshesOn
-                    ? Math.floor((resultToken.refreshesOn - Date.now()) / 1000)
-                    : 0;
                   return {
                     accessToken: resultToken?.token,
                     expiresInSeconds,
-                    refreshInSeconds,
                   };
                 } else {
                   logger.info(
@@ -279,7 +275,6 @@ export class ManagedIdentityCredential implements TokenCredential {
                   return {
                     accessToken: "no_access_token_returned",
                     expiresInSeconds: 0,
-                    refreshInSeconds: 0,
                   };
                 }
               }
diff --git a/sdk/identity/identity/src/credentials/managedIdentityCredential/models.ts b/sdk/identity/identity/src/credentials/managedIdentityCredential/models.ts
@@ -19,13 +19,7 @@ export interface MSIConfiguration {
  * Represents an access token for {@link ManagedIdentity} for internal usage,
  * with an expiration time and the time in which token should refresh.
  */
-export declare interface MSIToken extends AccessToken {
-  /**
-   * The time in which token should refresh,
-   * specified in milliseconds, UNIX epoch time.
-   */
-  refreshesOn?: number;
-}
+export declare interface MSIToken extends AccessToken {}
 
 /**
  * @internal
diff --git a/sdk/identity/identity/src/credentials/managedIdentityCredential/utils.ts b/sdk/identity/identity/src/credentials/managedIdentityCredential/utils.ts
@@ -73,21 +73,3 @@ export function parseExpirationTimestamp(body: TokenResponseParsedBody): number
     `Failed to parse token expiration from body. expires_in="${body.expires_in}", expires_on="${body.expires_on}"`
   );
 }
-
-/**
- * Given a token response, return the timestamp for refreshing token as the number of milliseconds from the Unix epoch.
- * @param body - A parsed response body from the authentication endpoint.
- */
-export function parseRefreshTimestamp(body: TokenResponseParsedBody): number {
-  if (typeof body.refresh_in === "number") {
-    return Date.now() + body.refresh_in * 1000;
-  } else {
-    const durationInMilliseconds = parseExpirationTimestamp(body) - Date.now();
-    const durationInHours = Math.floor(durationInMilliseconds / 1000 / 60 / 60);
-    if (durationInHours >= 2) {
-      return Date.now() + durationInMilliseconds / 2;
-    } else {
-      return Date.now() + durationInMilliseconds;
-    }
-  }
-}
diff --git a/sdk/identity/identity/test/internal/node/utils.spec.ts b/sdk/identity/identity/test/internal/node/utils.spec.ts
@@ -2,7 +2,6 @@
 // Licensed under the MIT license.
 
 import { assert } from "chai";
-import { parseRefreshTimestamp } from "../../../src/credentials/managedIdentityCredential/utils";
 import { processMultiTenantRequest } from "../../../src/util/tenantIdUtils";
 
 describe("Identity utilities (Node.js only)", function () {
@@ -18,63 +17,4 @@ describe("Identity utilities (Node.js only)", function () {
       assert.equal(resultingTenant, originalTenant);
     });
   });
-
-  describe("returns correctly parsed refresh timestamp", function () {
-    it("when expires_on is currentTimePlusThreeHours", () => {
-      const currentTimePlusThreeHours = (Date.now() + 10800000) / 1000;
-      const refreshTimestamp = parseRefreshTimestamp({
-        access_token: "token",
-        expires_on: currentTimePlusThreeHours,
-        expires_in: 0,
-      });
-      const refreshTime = Math.floor((refreshTimestamp - Date.now()) / 1000);
-      assert.closeTo(refreshTime, 5400, 10, "The refresh timestamp should be ");
-    });
-    it("when expires_on is currentTimePlusOneHour", () => {
-      const currentTimePlusOneHour = (Date.now() + 3600000) / 1000;
-      const refreshTimestamp = parseRefreshTimestamp({
-        access_token: "token",
-        expires_on: currentTimePlusOneHour,
-        expires_in: 0,
-      });
-      const refreshTime = Math.floor((refreshTimestamp - Date.now()) / 1000);
-      assert.closeTo(refreshTime, 3600, 10);
-    });
-    it("when expires_in is currentTimePlusThreeHours", () => {
-      const threeHoursInSeconds = 10800;
-      const refreshTimestamp = parseRefreshTimestamp({
-        access_token: "token",
-        expires_in: threeHoursInSeconds,
-      });
-      const refreshTime = Math.floor((refreshTimestamp - Date.now()) / 1000);
-      assert.closeTo(refreshTime, 5400, 10);
-    });
-    it("when expires_in is currentTimePlusOneHour", () => {
-      const oneHourInSeconds = 3600;
-      const refreshTimestamp = parseRefreshTimestamp({
-        access_token: "token",
-        expires_in: oneHourInSeconds,
-      });
-      const refreshTime = Math.floor((refreshTimestamp - Date.now()) / 1000);
-      assert.closeTo(refreshTime, 3600, 10);
-    });
-    it("when refresh_in is specified", () => {
-      const refreshTimestamp = parseRefreshTimestamp({
-        access_token: "token",
-        refresh_in: 3200,
-        expires_in: 0,
-      });
-      const refreshTime = Math.floor((refreshTimestamp - Date.now()) / 1000);
-      assert.closeTo(refreshTime, 3200, 10);
-    });
-    it("when refresh_in is 0", () => {
-      const refreshTimestamp = parseRefreshTimestamp({
-        access_token: "token",
-        refresh_in: 0,
-        expires_in: 0,
-      });
-      const refreshTime = Math.floor((refreshTimestamp - Date.now()) / 1000);
-      assert.closeTo(refreshTime, 0, 10);
-    });
-  });
 });
