Storage - Improving Perf of StorageBearerTokenChallengeAuthorizationPolicy (Azure#46685)

ibrandes · Copilot · web-flow · commit e7580067d0f9 · 2025-11-19T15:41:35.000-08:00
* removing override that forces token fetch on initial request

* scope refactoring

* removing unecessary elements in signatures

* refactoring authorizeRequestOnChallenge overrides

* refactoring and strengthening parsing logic

* some tests

* fixing failing tests

* adding overrides back to prevent breaking change

* Update sdk/storage/azure-storage-common/src/main/java/com/azure/storage/common/policy/StorageBearerTokenChallengeAuthorizationPolicy.java

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* Update sdk/storage/azure-storage-common/src/test/java/com/azure/storage/common/policy/StorageBearerTokenChallengeAuthorizationPolicyTests.java

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* using CoreUtils.parseAuthenticateHeader instead of custom util method

* adding changelog entry

* adding scope and tenant verification

* wip

* added comment about failure

* removing warning

* adding custom parsing back and adjusting tests

* many many tests for the parsing logic

* undoing new parsing changes

* moving stuff around

* adjusting tests

* more test adjustment

* formatting

---------

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/sdk/storage/azure-storage-common/CHANGELOG.md b/sdk/storage/azure-storage-common/CHANGELOG.md
@@ -7,6 +7,8 @@
 ### Breaking Changes
 
 ### Bugs Fixed
+- Addressed a performance regression introduced in version 12.27.0+ of the Azure Storage SDK for Java, where token 
+retrieval became thread-local, causing a consistent 4 to 5-second delay across threads during initial authorization.
 
 ### Other Changes
 
diff --git a/sdk/storage/azure-storage-common/src/main/java/com/azure/storage/common/policy/StorageBearerTokenChallengeAuthorizationPolicy.java b/sdk/storage/azure-storage-common/src/main/java/com/azure/storage/common/policy/StorageBearerTokenChallengeAuthorizationPolicy.java
@@ -18,19 +18,20 @@
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.Locale;
 
 /**
- * The storage authorization policy which supports challenge.
+ * The storage authorization policy which supports challenges.
  */
 public class StorageBearerTokenChallengeAuthorizationPolicy extends BearerTokenAuthenticationPolicy {
-
     private static final ClientLogger LOGGER = new ClientLogger(StorageBearerTokenChallengeAuthorizationPolicy.class);
 
     private static final String DEFAULT_SCOPE = "/.default";
-    static final String BEARER_TOKEN_PREFIX = "Bearer ";
+    private static final String BEARER_TOKEN_PREFIX = "Bearer";
+    private static final String RESOURCE_ID = "resource_id";
+    private static final String AUTHORIZATION_URI = "authorization_uri";
 
-    private String[] scopes;
+    // Immutable constructor scopes (base class retains them); challenge may supply new scopes dynamically.
+    private final String[] initialScopes;
 
     /**
      * Creates StorageBearerTokenChallengeAuthorizationPolicy.
@@ -40,56 +41,45 @@ public class StorageBearerTokenChallengeAuthorizationPolicy extends BearerTokenA
      */
     public StorageBearerTokenChallengeAuthorizationPolicy(TokenCredential credential, String... scopes) {
         super(credential, scopes);
-        this.scopes = scopes;
+        this.initialScopes = CoreUtils.clone(scopes);
     }
 
     @Override
     public Mono<Void> authorizeRequest(HttpPipelineCallContext context) {
-        String[] scopes = this.scopes;
-        scopes = getScopes(context, scopes);
-        if (scopes == null) {
-            return Mono.empty();
-        } else {
-            return setAuthorizationHeader(context, new TokenRequestContext().addScopes(scopes));
-        }
+        // Delegate to superclass to maintain previous behavior
+        return super.authorizeRequest(context);
     }
 
     @Override
     public void authorizeRequestSync(HttpPipelineCallContext context) {
-        String[] scopes = this.scopes;
-        scopes = getScopes(context, scopes);
-
-        if (scopes != null) {
-            setAuthorizationHeaderSync(context, new TokenRequestContext().addScopes(scopes));
-        }
+        // Delegate to superclass to maintain previous behavior
+        super.authorizeRequestSync(context);
     }
 
     @Override
     public Mono<Boolean> authorizeRequestOnChallenge(HttpPipelineCallContext context, HttpResponse response) {
         String authHeader = response.getHeaderValue(HttpHeaderName.WWW_AUTHENTICATE);
-        Map<String, String> challenges = extractChallengeAttributes(authHeader, BEARER_TOKEN_PREFIX);
-
-        String scope = getScopeFromChallenges(challenges);
-        String authorization = getAuthorizationFromChallenges(challenges);
+        Map<String, String> attributes = extractChallengeAttributes(authHeader);
 
-        if (scope != null) {
-            scope += DEFAULT_SCOPE;
-            scopes = new String[] { scope };
-            scopes = getScopes(context, scopes);
+        if (attributes.isEmpty()) {
+            return Mono.just(false);
         }
 
-        if (authorization != null) {
-            String tenantId = extractTenantIdFromUri(authorization);
-            TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes(scopes).setTenantId(tenantId);
-            return setAuthorizationHeader(context, tokenRequestContext).thenReturn(true);
-        }
+        String resource = attributes.get(RESOURCE_ID);
+        String authUrl = attributes.get(AUTHORIZATION_URI);
 
-        if (scope != null) {
-            TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes(scopes);
-            return setAuthorizationHeader(context, tokenRequestContext).thenReturn(true);
+        // Create new scopes array to avoid mutating the original
+        String[] scopesToUse = initialScopes;
+        if (!CoreUtils.isNullOrEmpty(resource)) {
+            scopesToUse = new String[] { resource.endsWith(DEFAULT_SCOPE) ? resource : resource + DEFAULT_SCOPE };
         }
 
-        return Mono.just(false);
+        TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes(scopesToUse).setCaeEnabled(true);
+
+        if (!CoreUtils.isNullOrEmpty(authUrl)) {
+            tokenRequestContext.setTenantId(extractTenantIdFromUri(authUrl));
+        }
+        return setAuthorizationHeader(context, tokenRequestContext).thenReturn(true);
     }
 
     String extractTenantIdFromUri(String uri) {
@@ -108,66 +98,60 @@ String extractTenantIdFromUri(String uri) {
     @Override
     public boolean authorizeRequestOnChallengeSync(HttpPipelineCallContext context, HttpResponse response) {
         String authHeader = response.getHeaderValue(HttpHeaderName.WWW_AUTHENTICATE);
-        Map<String, String> challenges = extractChallengeAttributes(authHeader, BEARER_TOKEN_PREFIX);
-
-        String scope = getScopeFromChallenges(challenges);
-        String authorization = getAuthorizationFromChallenges(challenges);
+        Map<String, String> attributes = extractChallengeAttributes(authHeader);
 
-        if (scope != null) {
-            scope += DEFAULT_SCOPE;
-            scopes = new String[] { scope };
-            scopes = getScopes(context, scopes);
+        if (attributes.isEmpty()) {
+            return false;
         }
 
-        if (authorization != null) {
-            String tenantId = extractTenantIdFromUri(authorization);
-            TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes(scopes).setTenantId(tenantId);
-            setAuthorizationHeaderSync(context, tokenRequestContext);
-            return true;
-        }
+        String resource = attributes.get(RESOURCE_ID);
+        String authUrl = attributes.get(AUTHORIZATION_URI);
 
-        if (scope != null) {
-            TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes(scopes);
-            setAuthorizationHeaderSync(context, tokenRequestContext);
-            return true;
+        // Create new scopes array to avoid mutating the original
+        String[] scopesToUse = initialScopes;
+        if (!CoreUtils.isNullOrEmpty(resource)) {
+            scopesToUse = new String[] { resource.endsWith(DEFAULT_SCOPE) ? resource : resource + DEFAULT_SCOPE };
         }
 
-        return false;
-    }
+        TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes(scopesToUse).setCaeEnabled(true);
 
-    String[] getScopes(HttpPipelineCallContext context, String[] scopes) {
-        return CoreUtils.clone(scopes);
+        if (!CoreUtils.isNullOrEmpty(authUrl)) {
+            tokenRequestContext.setTenantId(extractTenantIdFromUri(authUrl));
+        }
+
+        setAuthorizationHeaderSync(context, tokenRequestContext);
+        return true;
     }
 
-    Map<String, String> extractChallengeAttributes(String header, String authChallengePrefix) {
-        if (!isBearerChallenge(header, authChallengePrefix)) {
+    static Map<String, String> extractChallengeAttributes(String header) {
+        if (!isBearerChallenge(header)) {
             return Collections.emptyMap();
         }
 
-        header = header.toLowerCase(Locale.ROOT).replace(authChallengePrefix.toLowerCase(Locale.ROOT), "");
+        // Don't lowercase the entire header as values can be corrupted. Also don't mutate the original header.
+        String remainingHeader = header.substring(BEARER_TOKEN_PREFIX.length());
 
-        String[] attributes = header.split(" ");
+        // Split on commas first; if no commas present fall back to spaces.
+        String[] attributes = remainingHeader.contains(",") ? remainingHeader.split(",") : remainingHeader.split(" ");
         Map<String, String> attributeMap = new HashMap<>();
 
         for (String pair : attributes) {
+            // Skip empty strings and any strings that don't contain '='.
+            // Allows scenarios where there is only an auth URI and no resource ID.
+            if (CoreUtils.isNullOrEmpty(pair) || !pair.contains("=")) {
+                continue;
+            }
             String[] keyValue = pair.split("=");
 
-            attributeMap.put(keyValue[0].replaceAll("\"", ""), keyValue[1].replaceAll("\"", ""));
+            // Support spaces after commas by trimming.
+            attributeMap.put(keyValue[0].replaceAll("\"", "").trim(), keyValue[1].replaceAll("\"", "").trim());
         }
 
         return attributeMap;
     }
 
-    static boolean isBearerChallenge(String authenticateHeader, String authChallengePrefix) {
+    static boolean isBearerChallenge(String authenticateHeader) {
         return (!CoreUtils.isNullOrEmpty(authenticateHeader)
-            && authenticateHeader.toLowerCase(Locale.ROOT).startsWith(authChallengePrefix.toLowerCase(Locale.ROOT)));
-    }
-
-    String getScopeFromChallenges(Map<String, String> challenges) {
-        return challenges.get("resource_id");
-    }
-
-    String getAuthorizationFromChallenges(Map<String, String> challenges) {
-        return challenges.get("authorization_uri");
+            && authenticateHeader.regionMatches(true, 0, BEARER_TOKEN_PREFIX, 0, BEARER_TOKEN_PREFIX.length()));
     }
 }
diff --git a/sdk/storage/azure-storage-common/src/test/java/com/azure/storage/common/policy/StorageBearerTokenChallengeAuthorizationPolicyTests.java b/sdk/storage/azure-storage-common/src/test/java/com/azure/storage/common/policy/StorageBearerTokenChallengeAuthorizationPolicyTests.java
