az account get-access-token: Use epoch expiresOn/expires_on #19700
Description
Context
Currently, the expiresOn property in the output of az account get-access-token is a string representing the local time:
{
"accessToken": "eyJ0eXAiOiJ...",
"expiresOn": "2021-09-27 16:16:30.921462", <<<
"subscription": "0b1f6471-1bf0-4dda-aec3-cb9272f09590",
"tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
"tokenType": "Bearer"
}
This inherits from the ADAL behavior: https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/35f9e003bed47936a1df3c6eb696691dc1fa91c3/adal/oauth2_client.py#L187
This causes various time computation problems and difficulties, especially for daylight saving time, such as
- Correct expires_on values of tokens from AzureCliCredential azure-sdk-for-python#14331
- PEP 495 -- Local Time Disambiguation: https://www.python.org/dev/peps/pep-0495/
Other tools or services are already using an integer to represent the epoch time:
- Azure Python SDK uses integer
expires_on: https://github.com/Azure/azure-sdk-for-python/blob/844e16db0abc553ab1adf104128cbf0e223af189/sdk/core/azure-core/azure/core/credentials.py#L14 - MSAL internally uses integer
expires_on: https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/db6f001060e0adcc1edccac1a86ec05bd59f15f0/msal/token_cache.py#L176 - Managed identity's result uses integer
expires_on:
This approach is universal and eliminates all necessary complexity.
Proposal
There are possible approaches:
- Make a BREAKING CHANGE to convert the
expiresOnin the output ofaz account get-access-tokento an integer representing the epoch time. This can be done during MSAL migration: ADAL to MSAL migration #18944 - Introduce another property
expires_on. This will not be a BREAKING CHANGE, but introduces naming inconsistency as other properties uses camelCase, butexpires_onis snake_case. - Introduce another properties like
expiresOnEpoch, but naming like this is non-conventional.