How to refresh client assertion in ConfidentialClientApplication?

Question

ConfidentialClientApplicationBuilder provides a way to initialize the client with a client assertion. I am using ManagedIdentityCredential to provide this assertion, however this assertion has an expiration date. API provides a way to override the credential with every acquireToken() but not sure how expensive this is (high throughput app).

Should I cache the CCA and create new one after assertion expires or override every request for acquireToken with ClientCredentialParameters.builder(singleton(scope)).clientCredential(createFromClientAssertion(tk.getToken())).build();?

Answer 1

Caching the ConfidentialClientApplication (CCA) instance and dynamically overriding the credentials for every acquireToken() request is the ideal strategy for a high-throughput application. This eliminates the costly overhead of repeating creating the CCA and guarantees that the most latest claim is always utilised. It is more efficient to construct ClientCredentialParameters each request since it is lighter than reinitialising the complete client. You may, however, put in place a caching mechanism for the assertion while making sure it is updated before to expiry if profiling of performance reveals a bottleneck. This is the recommended approach as it strikes a balance between effectiveness and authenticity freshness.