Skip to content

[Feature Request] Thread-safe token caching with auto-renewal for confidential clients #587

New issue
New issue
Open
#588
Open
[Feature Request] Thread-safe token caching with auto-renewal for confidential clients#587
#588
Labels
enhancementNew feature or request
@mynameispathak

Description

@mynameispathak
mynameispathak
opened on Oct 6, 2025

Is your feature request related to a problem? Please describe.
The MSAL Go library for confidential client applications lacks sophisticated token caching mechanisms. Currently, every call to AcquireTokenByCredential() hits the network even when we have a valid cached token, leading to:

  • Performance overhead - Unnecessary network requests for tokens that are still valid
  • Race conditions - Concurrent token requests can cause multiple simultaneous calls to the identity provider
  • Manual token management - Applications must manually check token expiry and handle renewal
  • Missing enterprise features - While other MSAL libraries have basic caching, none provide the advanced auto-renewal capabilities needed for production systems

This is particularly problematic in high-traffic microservices where token acquisition becomes a bottleneck, and in long-running services where automatic token renewal would significantly improve reliability.

Describe the solution you'd like
I'd like to see an enhanced confidential client with thread-safe token caching and automatic renewal capabilities:

// New enhanced client with built-in caching
client, err := confidential.NewEnhancedClient(authority, clientID, cred)

// Automatic caching and renewal (returns cached token if valid)
result, err := client.AcquireTokenByCredentialWithCaching(ctx, scopes)

// Force refresh when needed
result, err := client.ForceRefreshToken(ctx, scopes)

// Cache management and monitoring
client.ClearTokenCache()
stats := client.GetCacheStats()

Key features:

  • Thread-safe caching using sync.RWMutex for concurrent access
  • Automatic token renewal with configurable buffer time (default: 2 minutes before expiry)
  • Token reuse - Return cached tokens when still valid
  • Force refresh capability - Explicit control over token refresh
  • Cache statistics - Monitoring and debugging capabilities
  • Backward compatibility - New EnhancedClient type alongside existing Client

Describe alternatives you've considered

  1. Manual implementation - I've created a custom msal-extensions-go library with these features, but this fragments the ecosystem and requires maintaining separate code

  2. Using existing cache accessor - The current WithCache() option only handles persistence, not intelligent token reuse or auto-renewal

  3. Wrapping the existing client - I could wrap confidential.Client with my own caching layer, but this adds complexity and doesn't integrate with the library's internal token management

  4. Using external token management libraries - Third-party solutions exist, but they don't integrate seamlessly with MSAL's authentication flows and token formats

  5. Accepting the current limitations - Simply living with the performance overhead, but this becomes problematic at scale

The best solution is to integrate this functionality directly into the official library, providing capabilities that would be valuable across all MSAL libraries.

Additional context
This feature request addresses a gap that exists across MSAL libraries - while they have basic caching, none provide the sophisticated auto-renewal capabilities needed for production enterprise applications.

Related existing issues:

I'm willing to contribute the implementation code and comprehensive tests if this feature is accepted. The implementation would follow the existing library patterns and maintain backward compatibility.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions