README and BREAKING_CHANGES log changes (#43191)

Azure · Apr 4, 2024 · de0b06c · de0b06c
1 parent f39c028
commit de0b06c
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 7 deletions.
diff --git a/sdk/identity/Azure.Identity/BREAKING_CHANGES.md b/sdk/identity/Azure.Identity/BREAKING_CHANGES.md
@@ -1,5 +1,16 @@
 # Breaking Changes
 
+## 1.11.0
+
+### Behavioral change to `DefaultAzureCredential` in IMDS managed identity scenarios
+
+As of `Azure.Identity` 1.11.0, the `DefaultAzureCredential` makes a couple minor behavioral changes to request timeout and retry behavior in environments where IMDS managed identity is used. The changes are as follows:
+- The first request made to IMDS managed identity will be made with a 1-second timeout, as it did previously, but without the "Metadata" header to expedite validating whether the endpoint is available. This is guaranteed to fail with a 400 error.
+    - If the request times out, indicating that the IMDS endpoint isn't available, no retries will be made. This is a change from the previous behavior, where the request was retried up to 3 times, with exponential backoff.
+    - If the request returns a 400 error, indicating that the IMDS endpoint is available, the request will be retried up to 4 times, with exponential backoff, to allow for transient failures.
+
+If more retries are needed for IMDS managed identity scenarios, a custom `RetryPolicy` can be specified in the `DefaultAzureCredentialOptions`. More information on how to customize the retry policy can be found [here](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/core/Azure.Core/samples/Configuration.md#setting-a-custom-retry-policy).
+
 ## 1.7.0
 
 ### Behavioral change to credential types supporting multi-tenant authentication
@@ -41,4 +52,4 @@ var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
 });
 ```
 
-More information on this change and the consideration behind it can be found [here](https://github.com/Azure/azure-sdk/issues/1970).
+More information on this change and the consideration behind it can be found [here](https://github.com/Azure/azure-sdk/issues/1970).
diff --git a/sdk/identity/Azure.Identity/CHANGELOG.md b/sdk/identity/Azure.Identity/CHANGELOG.md
@@ -5,8 +5,8 @@
 ### Bugs Fixed
 - `AzurePowerShellCredential` now handles the case where it falls back to legacy PowerShell without relying on the error message string.
 
-### Other Changes
-- `DefaultAzureCredential` now sends a probe request with no retries for IMDS managed identity environments to avoid excessive retry delays when the IMDS endpoint is not available. This should improve credential chain resolution for local development scenarios.
+### Breaking Changes
+- `DefaultAzureCredential` now sends a probe request with no retries for IMDS managed identity environments to avoid excessive retry delays when the IMDS endpoint is not available. This should improve credential chain resolution for local development scenarios. See [BREAKING_CHANGES.md](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/BREAKING_CHANGES.md#1110).
 
 ## 1.11.0-beta.1 (2024-02-06)
 

diff --git a/sdk/identity/Azure.Identity/tests/ImdsManagedIdentitySourceTests.cs b/sdk/identity/Azure.Identity/tests/ImdsManagedIdentitySourceTests.cs
@@ -5,11 +5,10 @@
 using System.Collections.Generic;
 using System.IO;
 using System.Text;
-using System.Threading;
 using System.Threading.Tasks;
 using Azure.Core;
+using Azure.Core.Pipeline;
 using Azure.Core.TestFramework;
-using Azure.Identity.Tests.Mock;
 using NUnit.Framework;
 
 namespace Azure.Identity.Tests
@@ -63,14 +62,48 @@ public async Task DefaultAzureCredentialProbeUses1secTimeoutWithNoRetries()
             CollectionAssert.AreEqual(expectedTimeouts, networkTimeouts);
         }
 
+        [Test]
+        public void DefaultAzureCredentialRetryBehaviorIsOverriddenWithOptions()
+        {
+            int callCount = 0;
+            List<TimeSpan?> networkTimeouts = new();
+
+            var mockTransport = MockTransport.FromMessageCallback(msg =>
+            {
+                callCount++;
+                networkTimeouts.Add(msg.NetworkTimeout);
+                return callCount > 1 ?
+                 CreateMockResponse(500, "Error").WithHeader("Content-Type", "application/json") :
+                 CreateMockResponse(400, "Error").WithHeader("Content-Type", "application/json");
+            });
+            var credOptions = new DefaultAzureCredentialOptions
+            {
+                ExcludeAzureCliCredential = true,
+                ExcludeAzureDeveloperCliCredential = true,
+                ExcludeAzurePowerShellCredential = true,
+                ExcludeEnvironmentCredential = true,
+                ExcludeSharedTokenCacheCredential = true,
+                ExcludeVisualStudioCodeCredential = true,
+                ExcludeVisualStudioCredential = true,
+                ExcludeWorkloadIdentityCredential = true,
+                Transport = mockTransport,
+                RetryPolicy = new RetryPolicy(7, DelayStrategy.CreateFixedDelayStrategy(TimeSpan.Zero))
+            };
+
+            var cred = new DefaultAzureCredential(credOptions);
+
+            Assert.ThrowsAsync<AuthenticationFailedException>(async () => await cred.GetTokenAsync(new(new[] { "test" })));
+
+            var expectedTimeouts = new TimeSpan?[] { TimeSpan.FromSeconds(1), null, null, null, null, null, null, null, null };
+            CollectionAssert.AreEqual(expectedTimeouts, networkTimeouts);
+        }
+
         [Test]
         public void ManagedIdentityCredentialUsesDefaultTimeoutAndRetries()
         {
             int callCount = 0;
             List<TimeSpan?> networkTimeouts = new();
 
-            // the mock transport succeeds on the 2nd request to avoid long exponential back-offs,
-            // but is sufficient to validate the initial timeout and retry behavior
             var mockTransport = MockTransport.FromMessageCallback(msg =>
             {
                 callCount++;