Skip to content

[Bug] Managed Identity should respect source when retrying request, IMDS has more codes should retry #4998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
4gust opened this issue Nov 15, 2024 · 3 comments
Open

[Bug] Managed Identity should respect source when retrying request, IMDS has more codes should retry #4998

4gust opened this issue Nov 15, 2024 · 3 comments
Labels
confidential-client Feature Request scenario:ManagedIdentity sdk-consistency

Comments

@4gust
Copy link
Contributor

4gust commented Nov 15, 2024

Library version used

4.66.0

.NET version

.NET 9

Scenario

ManagedIdentityClient - managed identity

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

For MI The application only retries on
404 or 408 or 429 or 500 or 503 or 504 these codes
but for IMDS only you need to try on more codes. More information here
https://learn.microsoft.com/en-gb/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#error-handling

Relevant code snippets

No response

Expected behavior

No response

Identity provider

Other

Regression

No response

Solution and workarounds

No response
@4gust 4gust added needs attention Delete label after triage untriaged Do not delete. Needed for Automation labels Nov 15, 2024
@bgavrilMS bgavrilMS added bug P3 sdk-consistency and removed untriaged Do not delete. Needed for Automation needs attention Delete label after triage labels Nov 15, 2024
@Robbie-Microsoft Robbie-Microsoft mentioned this issue Mar 1, 2025
Merged
@gladjohn
Copy link
Contributor

gladjohn commented Mar 6, 2025

Need to work with MSI team to finalize on this one.

HTTP Status Code Error Reason Recommended Action Retry Delay Strategy
404 IMDS endpoint is updating Retry with Exponential Backoff 1s → 2s → 4s → 8s
410 IMDS is going through updates Wait up to 70 seconds, then retry 70s (fixed wait)
429 IMDS Throttle limit reached Retry with Exponential Backoff 2s → 4s → 8s → 16s
408 Request Timeout Retry with Exponential Backoff 1s → 2s → 4s → 8s
5xx Transient service error Retry with Exponential Backoff 1s → 2s → 4s → 8s
400 Bad Request (Invalid Parameters) Do not retry, fix request No retry
401 Unauthorized Do not retry, check authentication setup No retry
403 Forbidden Do not retry, verify permissions No retry
timeout IMDS endpoint is updating Retry with Exponential Backoff 1s → 2s → 4s → 8s

Retry Strategy (Exponential Backoff)

Retry Attempt Delay Before Retry
1st 1 second
2nd 2 seconds
3rd 4 seconds
4th 8 seconds
5th 16 seconds (if applicable)

Notes:

  • For 410 (IMDS Updates): No retries within 70 seconds. Directly wait for IMDS to be available.
  • For 5xx Errors: Retry max 3 times before failing.
  • For 429 (Throttling): Increase backoff delay on each retry.

@Robbie-Microsoft
Copy link
Contributor

@gladjohn can you order that table in ascending order for http status code? Additionally, what is the last item "timeout"? 408 (request timeout) or 504 (gateway timeout)? Can we be more specific for that item?

Additionally, can we keep all exponential backoffs to the same values? Why does 429 need to start at 2 seconds instead of 1?

@gladjohn
Copy link
Contributor

gladjohn commented Mar 6, 2025

@gladjohn can you order that table in ascending order for http status code? Additionally, what is the last item "timeout"? 408 (request timeout) or 504 (gateway timeout)? Can we be more specific for that item?

Additionally, can we keep all exponential backoffs to the same values? Why does 429 need to start at 2 seconds instead of 1?

This is not the final @Robbie-Microsoft, this is just a starting point and needs review by MSI team.

Robbie-Microsoft added a commit to AzureAD/microsoft-authentication-library-for-js that referenced this issue Mar 6, 2025
@Robbie-Microsoft
Reworked Managed Identity Retry Policy to be per-request (#7603)
e944136 
The same retry policy was previously being used for all Managed Identity
sources and requests.

The retry policy will now be based on the Managed Identity source, and
therefore will be per-request.

Future Work: Create an IMDS retry policy to address [this
bug](AzureAD/microsoft-authentication-library-for-dotnet#4998).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
confidential-client Feature Request scenario:ManagedIdentity sdk-consistency
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bgavrilMS @Robbie-Microsoft @gladjohn @4gust