Skip to content

Token cache persistance with CAE disabled #42898

New issue
New issue
Open
Open
Token cache persistance with CAE disabled#42898
Assignees
pvaneckxiangyan99
Labels
Azure.IdentityClientThis issue points to a problem in the data-plane of the library.customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
@danijel3

Description

@danijel3
danijel3
opened on Sep 8, 2025
  • Package Name: azure-identity
  • Package Version: 1.24.0
  • Operating System: Linux
  • Python Version: 3.13.7

Describe the bug

Using token cache persistence causes problems on Linux with CAE disabled.

To Reproduce

token_cache_options = TokenCachePersistenceOptions(name="MyApp")

if Path("cred.json").exists():
    with open("cred.json", "r") as f:
        deserealized_record = AuthenticationRecord.deserialize(f.read())

    device_credential = DeviceCodeCredential(
        client_id=azure_settings["clientId"],
        tenant_id=azure_settings["tenantId"],
        authentication_record=deserealized_record,
        cache_persistence_options=token_cache_options,
        disable_automatic_authentication=True,
    )
else:
    device_credential = DeviceCodeCredential(
        client_id=azure_settings["clientId"],
        tenant_id=azure_settings["tenantId"],
        cache_persistence_options=token_cache_options,
        disable_automatic_authentication=True,
    )

    record = device_credential.authenticate(scopes=azure_settings["graphScope"])

    with open("cred.json", "w") as f:
        f.write(record.serialize())

app_client = GraphServiceClient(
    credentials=device_credential, scopes=azure_settings["graphScope"]
)

# do something with app_client, eg: `app_client.me.get()`

The code above will fail on second run (on silent authentication) because the getToken method won't be able to find the token cache on disk. This is because, by default, the enable_cae attribute is set to False and this causes the first run (interactive authentication) to create a cache file on disk called ~/.IdentityService/<NAME>.nocae, whereas the second (ie. silent) run will have the CAE set by default to True (due to a bug described below), which will cause the system to think there is no cache present and fail.

This can be resolved by setting the enable_cae attribute to True in the authenticate method, thus creating a file called ~/.IdentityService/<NAME>.cae, which makes everything work okay:

record = device_credential.authenticate(scopes=azure_settings["graphScope"], enable_cae=True)

The main issue is that currently it is impossible to create a persistent cache without CAE in this scenario. This is because the AzureIdentityAuthenticationProvider class has enable_cae set to True by default (even though everywhere else it's set to False) and there is no facility to change this default setting when initializing the GraphServiceClient.

Suggested resolutions

  1. add information in documentation and tutorials about how CAE affects the persistent token cache on Linux
  2. add a facility to change the CAE flag in GraphServiceClient (eg. add enable_cae attribute to the class's initialization routine)

Metadata

Metadata

Assignees

Labels

Azure.IdentityClientThis issue points to a problem in the data-plane of the library.customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

Azure Identity SDK Improvements

Status

Not Started

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions