Blog
Refreshing MSAL access tokens using Token Cache
We’ve been busy building many data integrations over the years, specifically with Azure Functions, which provide automatic scaling and cost optimization for serverless workloads. Some data integrations we’ve built involve authenticating to Web APIs for Dynamics 365 (Dataverse), Business Central and SharePoint Online. When building applications or data integrations to authenticate to other applications there comes the challenge of implementing efficient methods to re-use connections and automatically refresh expiring security tokens to avoid port exhaustion errors. In order to optimize our authentication methods, we instantiate our connections once and use the MSAL which maintains a Token Cache.
What is the MSAL?
The MSAL, or Microsoft Authentication Library, is a Python library that allows developers to get security tokens from the Microsoft identity platform. This allows developers to authenticate users or Azure app registrations and access secured Web APIs. These Web APIs include:
- Microsoft Graph, which can be used to read and write to SharePoint
- Other Microsoft APIs, such as for Dynamics 365 (Dataverse) and Business Central
- Third-party Web APIs
- Your own Web API
What is a Token Cache?
The MSAL uses a cache to store tokens based on specific parameters. When needed, MSAL retrieves the token from the cache. To acquire an MSAL access token, you can use the AcquireTokenSilent (for user-based authentication) or AcquireTokenForClient (for app-only authentication) method. Each is designed to check the cache in browser storage to see if a non-expired access token exists and returns it. We typically use the AcquireTokenForClient method. Depending on your application, there are a few Token Cache methods that a Developer can configure to retrieve and refresh the token. The default token lifetime is 60 minutes (1 hour), with a minimum of 5 minutes and a maximum of 1,440 minutes (24 hours).
MSAL vs OAuth libraries
The MSAL provides benefits over OAuth libraries because it can maintain the token cache and will automatically refresh the token(s) once they expire. Additionally, it allows Developers to specify who can sign into your application, such as:
- Your organization or several organizations
- Work, school or personal Microsoft accounts
- Social identities with Azure B2C (Gmail, Facebook, etc.)
- Users in sovereign and national clouds
Using MSAL when re-using HttpClient instances
The MSAL Token Cache method can and should be used in conjunction with your method to re-use HttpClient instances. HttpClient instances are intended to be reused throughout the lifetime of an application. Instantiating an HttpClient class for every request can exhaust the number of sockets available under heavy loads. Reusing HttpClient instances can help avoid port exhaustion problems if the request rate is high.
Interested in learning more about the features of Microsoft Power Platform, Azure, or Dynamics 365? Take a look at our services pages on these and other topics.
Reach out today!
We love to implement Microsoft Dynamics 365 and Power Platform solutions here at Beringer. We’ve been working with Microsoft Dynamics since its inception, and we’re always finding innovative ways to implement the latest tools and help automate business processes.
Beringer Technology Group, a leading Microsoft Gold Certified Partner specializing in Microsoft Dynamics 365 and CRM for Distribution also provides expert Managed IT Services, Backup and Disaster Recovery, Cloud Based Computing, Email Security Implementation and Training, Unified Communication Solutions, and Cybersecurity Risk Assessment.