Lazy load temporary AccessKey (#2092)

terencefan · web-flow · commit 3c6b848ca035 · 2024-11-25T10:42:06.000+08:00
diff --git a/src/Microsoft.Azure.SignalR.Common/Auth/MicrosoftEntra/AccessKeySynchronizer.cs b/src/Microsoft.Azure.SignalR.Common/Auth/MicrosoftEntra/AccessKeySynchronizer.cs
@@ -6,20 +6,22 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Runtime.CompilerServices;
+using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 
 namespace Microsoft.Azure.SignalR;
 
 internal sealed class AccessKeySynchronizer : IAccessKeySynchronizer, IDisposable
 {
-    private readonly ConcurrentDictionary<ServiceEndpoint, object> _endpoints = new ConcurrentDictionary<ServiceEndpoint, object>(ReferenceEqualityComparer.Instance);
+    private readonly ConcurrentDictionary<MicrosoftEntraAccessKey, bool> _keyMap = new(ReferenceEqualityComparer.Instance);
 
-    private readonly ILoggerFactory _factory;
+    private readonly ILogger<AccessKeySynchronizer> _logger;
 
     private readonly TimerAwaitable _timer = new TimerAwaitable(TimeSpan.Zero, TimeSpan.FromMinutes(1));
 
-    internal IEnumerable<MicrosoftEntraAccessKey> AccessKeyForMicrosoftEntraList => _endpoints.Select(e => e.Key.AccessKey).OfType<MicrosoftEntraAccessKey>();
+    internal IEnumerable<MicrosoftEntraAccessKey> InitializedKeyList => _keyMap.Where(x => x.Key.Initialized).Select(x => x.Key);
 
     public AccessKeySynchronizer(ILoggerFactory loggerFactory) : this(loggerFactory, true)
     {
@@ -32,65 +34,74 @@ internal AccessKeySynchronizer(ILoggerFactory loggerFactory, bool start)
     {
         if (start)
         {
-            _ = UpdateAccessKeyAsync();
+            _ = UpdateAllAccessKeyAsync();
         }
-        _factory = loggerFactory ?? throw new ArgumentNullException(nameof(loggerFactory));
+        _logger = (loggerFactory ?? NullLoggerFactory.Instance).CreateLogger<AccessKeySynchronizer>();
     }
 
     public void AddServiceEndpoint(ServiceEndpoint endpoint)
     {
         if (endpoint.AccessKey is MicrosoftEntraAccessKey key)
         {
-            _ = key.UpdateAccessKeyAsync();
+            _keyMap.TryAdd(key, true);
         }
-        _endpoints.TryAdd(endpoint, null);
     }
 
     public void Dispose() => _timer.Stop();
 
     public void UpdateServiceEndpoints(IEnumerable<ServiceEndpoint> endpoints)
     {
-        _endpoints.Clear();
+        _keyMap.Clear();
         foreach (var endpoint in endpoints)
         {
             AddServiceEndpoint(endpoint);
         }
     }
 
-    internal bool ContainsServiceEndpoint(ServiceEndpoint e) => _endpoints.ContainsKey(e);
+    /// <summary>
+    /// Test only
+    /// </summary>
+    /// <param name="e"></param>
+    /// <returns></returns>
+    internal bool ContainsKey(ServiceEndpoint e) => _keyMap.ContainsKey(e.AccessKey as MicrosoftEntraAccessKey);
 
-    internal int ServiceEndpointsCount() => _endpoints.Count;
+    /// <summary>
+    /// Test only
+    /// </summary>
+    /// <returns></returns>
+    internal int Count() => _keyMap.Count;
 
-    private async Task UpdateAccessKeyAsync()
+    private async Task UpdateAllAccessKeyAsync()
     {
         using (_timer)
         {
             _timer.Start();
 
             while (await _timer)
             {
-                foreach (var key in AccessKeyForMicrosoftEntraList)
+                foreach (var key in InitializedKeyList)
                 {
-                    _ = key.UpdateAccessKeyAsync();
+                    var source = new CancellationTokenSource(Constants.Periods.DefaultUpdateAccessKeyTimeout);
+                    _ = key.UpdateAccessKeyAsync(source.Token);
                 }
             }
         }
     }
 
-    private sealed class ReferenceEqualityComparer : IEqualityComparer<ServiceEndpoint>
+    private sealed class ReferenceEqualityComparer : IEqualityComparer<MicrosoftEntraAccessKey>
     {
         internal static readonly ReferenceEqualityComparer Instance = new ReferenceEqualityComparer();
 
         private ReferenceEqualityComparer()
         {
         }
 
-        public bool Equals(ServiceEndpoint x, ServiceEndpoint y)
+        public bool Equals(MicrosoftEntraAccessKey x, MicrosoftEntraAccessKey y)
         {
             return ReferenceEquals(x, y);
         }
 
-        public int GetHashCode(ServiceEndpoint obj)
+        public int GetHashCode(MicrosoftEntraAccessKey obj)
         {
             return RuntimeHelpers.GetHashCode(obj);
         }
diff --git a/src/Microsoft.Azure.SignalR.Common/Auth/MicrosoftEntra/MicrosoftEntraAccessKey.cs b/src/Microsoft.Azure.SignalR.Common/Auth/MicrosoftEntra/MicrosoftEntraAccessKey.cs
@@ -24,6 +24,10 @@ internal class MicrosoftEntraAccessKey : IAccessKey
 {
     internal static readonly TimeSpan GetAccessKeyTimeout = TimeSpan.FromSeconds(100);
 
+    private const int UpdateTaskIdle = 0;
+
+    private const int UpdateTaskRunning = 1;
+
     private const int GetAccessKeyMaxRetryTimes = 3;
 
     private const int GetMicrosoftEntraTokenMaxRetryTimes = 3;
@@ -36,10 +40,12 @@ internal class MicrosoftEntraAccessKey : IAccessKey
 
     private static readonly TimeSpan AccessKeyExpireTime = TimeSpan.FromMinutes(120);
 
-    private readonly TaskCompletionSource<object?> _initializedTcs = new TaskCompletionSource<object?>(TaskCreationOptions.RunContinuationsAsynchronously);
+    private readonly TaskCompletionSource<object?> _initializedTcs = new(TaskCreationOptions.RunContinuationsAsynchronously);
 
     private readonly IHttpClientFactory _httpClientFactory;
 
+    private volatile int _updateState = 0;
+
     private volatile bool _isAuthorized = false;
 
     private DateTime _updateAt = DateTime.MinValue;
@@ -48,6 +54,8 @@ internal class MicrosoftEntraAccessKey : IAccessKey
 
     private volatile byte[]? _keyBytes;
 
+    public bool Initialized => _initializedTcs.Task.IsCompleted;
+
     public bool Available
     {
         get => _isAuthorized && DateTime.UtcNow - _updateAt < AccessKeyExpireTime;
@@ -116,6 +124,12 @@ public async Task<string> GenerateAccessTokenAsync(string audience,
                                                        AccessTokenAlgorithm algorithm,
                                                        CancellationToken ctoken = default)
     {
+        if (!_initializedTcs.Task.IsCompleted)
+        {
+            var source = new CancellationTokenSource(Constants.Periods.DefaultUpdateAccessKeyTimeout);
+            _ = UpdateAccessKeyAsync(source.Token);
+        }
+
         await _initializedTcs.Task.OrCancelAsync(ctoken, "The access key initialization timed out.");
 
         return Available
@@ -142,26 +156,35 @@ internal async Task UpdateAccessKeyAsync(CancellationToken ctoken = default)
             return;
         }
 
+        if (Interlocked.CompareExchange(ref _updateState, UpdateTaskRunning, UpdateTaskIdle) != UpdateTaskIdle)
+        {
+            return;
+        }
+
         for (var i = 0; i < GetAccessKeyMaxRetryTimes; i++)
         {
+            if (ctoken.IsCancellationRequested)
+            {
+                break;
+            }
+
             var source = new CancellationTokenSource(GetAccessKeyTimeout);
-            var linkedSource = CancellationTokenSource.CreateLinkedTokenSource(source.Token, ctoken);
             try
             {
-                await UpdateAccessKeyInternalAsync(linkedSource.Token);
+                await UpdateAccessKeyInternalAsync(source.Token).OrCancelAsync(ctoken);
+                Interlocked.Exchange(ref _updateState, UpdateTaskIdle);
                 return;
             }
             catch (OperationCanceledException e)
             {
-                LastException = e;
-                break;
+                LastException = e; // retry immediately
             }
             catch (Exception e)
             {
                 LastException = e;
                 try
                 {
-                    await Task.Delay(GetAccessKeyRetryInterval, ctoken);
+                    await Task.Delay(GetAccessKeyRetryInterval, ctoken); // retry after interval.
                 }
                 catch (OperationCanceledException)
                 {
@@ -175,6 +198,7 @@ internal async Task UpdateAccessKeyAsync(CancellationToken ctoken = default)
             // Update the status only when it becomes "not available" due to expiration to refresh updateAt.
             Available = false;
         }
+        Interlocked.Exchange(ref _updateState, UpdateTaskIdle);
     }
 
     private static string GetExceptionMessage(Exception? exception)
@@ -232,11 +256,11 @@ private async Task UpdateAccessKeyInternalAsync(CancellationToken ctoken)
         await ThrowExceptionOnResponseFailureAsync(request, response);
     }
 
-    private async Task<bool> HandleHttpResponseAsync(HttpResponseMessage response)
+    private async Task HandleHttpResponseAsync(HttpResponseMessage response)
     {
         if (response.StatusCode != HttpStatusCode.OK)
         {
-            return false;
+            return;
         }
 
         var content = await response.Content.ReadAsStringAsync();
@@ -250,8 +274,6 @@ private async Task<bool> HandleHttpResponseAsync(HttpResponseMessage response)
         {
             throw new AzureSignalRException("Missing required <AccessKey> field.");
         }
-
         UpdateAccessKey(obj.KeyId, obj.AccessKey);
-        return true;
     }
 }
diff --git a/src/Microsoft.Azure.SignalR.Common/Constants.cs b/src/Microsoft.Azure.SignalR.Common/Constants.cs
@@ -21,7 +21,6 @@ internal static class Constants
 
     public const string AsrsDefaultScope = "https://signalr.azure.com/.default";
 
-
     public const int DefaultCloseTimeoutMilliseconds = 10000;
 
     public static class Keys
@@ -45,6 +44,8 @@ public static class Periods
 
         public const int MaxCustomHandshakeTimeout = 30;
 
+        public static readonly TimeSpan DefaultUpdateAccessKeyTimeout = TimeSpan.FromMinutes(2);
+
         public static readonly TimeSpan DefaultAccessTokenLifetime = TimeSpan.FromHours(1);
 
         public static readonly TimeSpan DefaultScaleTimeout = TimeSpan.FromMinutes(5);
diff --git a/test/Microsoft.Azure.SignalR.Common.Tests/Auth/AccessKeySynchronizerFacts.cs b/test/Microsoft.Azure.SignalR.Common.Tests/Auth/AccessKeySynchronizerFacts.cs
@@ -0,0 +1,43 @@
+﻿// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using Azure.Identity;
+using Microsoft.Azure.SignalR.Tests.Common;
+using Microsoft.Extensions.Logging.Abstractions;
+using Xunit;
+
+namespace Microsoft.Azure.SignalR.Common.Tests.Auth;
+
+public class AccessKeySynchronizerFacts
+{
+    [Fact]
+    public void AddAndRemoveServiceEndpointsTest()
+    {
+        var synchronizer = GetInstanceForTest();
+
+        var credential = new DefaultAzureCredential();
+        var endpoint1 = new TestServiceEndpoint(credential);
+        var endpoint2 = new TestServiceEndpoint(credential);
+
+        Assert.Equal(0, synchronizer.Count());
+        synchronizer.UpdateServiceEndpoints([endpoint1]);
+        Assert.Equal(1, synchronizer.Count());
+        synchronizer.UpdateServiceEndpoints([endpoint1, endpoint2]);
+        Assert.Empty(synchronizer.InitializedKeyList);
+
+        Assert.Equal(2, synchronizer.Count());
+        Assert.True(synchronizer.ContainsKey(endpoint1));
+        Assert.True(synchronizer.ContainsKey(endpoint2));
+
+        synchronizer.UpdateServiceEndpoints([endpoint2]);
+        Assert.Equal(1, synchronizer.Count());
+        synchronizer.UpdateServiceEndpoints([]);
+        Assert.Equal(0, synchronizer.Count());
+        Assert.Empty(synchronizer.InitializedKeyList);
+    }
+
+    private static AccessKeySynchronizer GetInstanceForTest()
+    {
+        return new AccessKeySynchronizer(NullLoggerFactory.Instance, false);
+    }
+}
diff --git a/test/Microsoft.Azure.SignalR.Common.Tests/Auth/MicrosoftEntraAccessKeyTests.cs b/test/Microsoft.Azure.SignalR.Common.Tests/Auth/MicrosoftEntraAccessKeyTests.cs
@@ -165,7 +165,7 @@ public async Task TestUpdateAccessKeyFailedThrowsNotAuthorizedException(AzureSig
             .ThrowsAsync(e);
         var key = new MicrosoftEntraAccessKey(DefaultEndpoint, mockCredential.Object)
         {
-            GetAccessKeyRetryInterval = TimeSpan.Zero
+            GetAccessKeyRetryInterval = TimeSpan.Zero,
         };
 
         var audience = "http://localhost/chat";
@@ -210,6 +210,52 @@ public async Task TestUpdateAccessKeySendRequest(string expectedKeyStr)
         Assert.Equal(expectedKeyStr, Encoding.UTF8.GetString(key.KeyBytes));
     }
 
+    [Fact]
+    public async Task TestLazyLoadAccessKey()
+    {
+        var expectedKeyStr = DefaultSigningKey;
+        var expectedKid = "foo";
+        var text = "{" + string.Format("\"AccessKey\": \"{0}\", \"KeyId\": \"{1}\"", expectedKeyStr, expectedKid) + "}";
+        var httpClientFactory = new TestHttpClientFactory(new HttpResponseMessage(HttpStatusCode.OK)
+        {
+            Content = TextHttpContent.From(text),
+        });
+
+        var credential = new TestTokenCredential(TokenType.MicrosoftEntra);
+        var key = new MicrosoftEntraAccessKey(DefaultEndpoint, credential, httpClientFactory: httpClientFactory);
+
+        Assert.False(key.Initialized);
+
+        var token = await key.GenerateAccessTokenAsync("https://localhost", [], TimeSpan.FromMinutes(1), AccessTokenAlgorithm.HS256);
+        Assert.NotNull(token);
+
+        Assert.True(key.Initialized);
+    }
+
+    [Fact]
+    public async Task TestLazyLoadAccessKeyFailed()
+    {
+        var mockCredential = new Mock<TokenCredential>();
+        mockCredential.Setup(credential => credential.GetTokenAsync(
+            It.IsAny<TokenRequestContext>(),
+            It.IsAny<CancellationToken>()))
+            .ThrowsAsync(new Exception());
+        var key = new MicrosoftEntraAccessKey(DefaultEndpoint, mockCredential.Object)
+        {
+            GetAccessKeyRetryInterval = TimeSpan.FromSeconds(1),
+        };
+
+        Assert.False(key.Initialized);
+
+        var task1 = key.GenerateAccessTokenAsync("https://localhost", [], TimeSpan.FromMinutes(1), AccessTokenAlgorithm.HS256);
+        var task2 = key.UpdateAccessKeyAsync();
+        Assert.True(task2.IsCompleted); // another task is in progress.
+
+        await Assert.ThrowsAsync<AzureSignalRAccessTokenNotAuthorizedException>(async () => await task1);
+
+        Assert.True(key.Initialized);
+    }
+
     [Theory]
     [InlineData(TokenType.Local)]
     [InlineData(TokenType.MicrosoftEntra)]
@@ -226,7 +272,10 @@ public async Task ThrowUnauthorizedExceptionTest(TokenType tokenType)
             endpoint,
             new TestTokenCredential(tokenType),
             httpClientFactory: new TestHttpClientFactory(message)
-        );
+        )
+        {
+            GetAccessKeyRetryInterval = TimeSpan.Zero
+        };
 
         await key.UpdateAccessKeyAsync();
 
diff --git a/test/Microsoft.Azure.SignalR.Common.Tests/Endpoints/AccessKeySynchronizerFacts.cs b/test/Microsoft.Azure.SignalR.Common.Tests/Endpoints/AccessKeySynchronizerFacts.cs
diff --git a/test/Microsoft.Azure.SignalR.Tests.Common/TestClasses/TestAccessKeySynchronizer.cs b/test/Microsoft.Azure.SignalR.Tests.Common/TestClasses/TestAccessKeySynchronizer.cs

Original file line number	Diff line number	Diff line change
`@@ -6,20 +6,22 @@`
`6`	`6`	`using System.Collections.Generic;`
`7`	`7`	`using System.Linq;`
`8`	`8`	`using System.Runtime.CompilerServices;`
	`9`	`+using System.Threading;`
`9`	`10`	`using System.Threading.Tasks;`
`10`	`11`	`using Microsoft.Extensions.Logging;`
	`12`	`+using Microsoft.Extensions.Logging.Abstractions;`
`11`	`13`
`12`	`14`	`namespace Microsoft.Azure.SignalR;`
`13`	`15`
`14`	`16`	`internal sealed class AccessKeySynchronizer : IAccessKeySynchronizer, IDisposable`
`15`	`17`	`{`
`16`		`- private readonly ConcurrentDictionary<ServiceEndpoint, object> _endpoints = new ConcurrentDictionary<ServiceEndpoint, object>(ReferenceEqualityComparer.Instance);`
	`18`	`+ private readonly ConcurrentDictionary<MicrosoftEntraAccessKey, bool> _keyMap = new(ReferenceEqualityComparer.Instance);`
`17`	`19`
`18`		`- private readonly ILoggerFactory _factory;`
	`20`	`+ private readonly ILogger<AccessKeySynchronizer> _logger;`
`19`	`21`
`20`	`22`	`private readonly TimerAwaitable _timer = new TimerAwaitable(TimeSpan.Zero, TimeSpan.FromMinutes(1));`
`21`	`23`
`22`		`- internal IEnumerable<MicrosoftEntraAccessKey> AccessKeyForMicrosoftEntraList => _endpoints.Select(e => e.Key.AccessKey).OfType<MicrosoftEntraAccessKey>();`
	`24`	`+ internal IEnumerable<MicrosoftEntraAccessKey> InitializedKeyList => _keyMap.Where(x => x.Key.Initialized).Select(x => x.Key);`
`23`	`25`
`24`	`26`	`public AccessKeySynchronizer(ILoggerFactory loggerFactory) : this(loggerFactory, true)`
`25`	`27`	`{`
`@@ -32,65 +34,74 @@ internal AccessKeySynchronizer(ILoggerFactory loggerFactory, bool start)`
`32`	`34`	`{`
`33`	`35`	`if (start)`
`34`	`36`	`{`
`35`		`- _ = UpdateAccessKeyAsync();`
	`37`	`+ _ = UpdateAllAccessKeyAsync();`
`36`	`38`	`}`
`37`		`- _factory = loggerFactory ?? throw new ArgumentNullException(nameof(loggerFactory));`
	`39`	`+ _logger = (loggerFactory ?? NullLoggerFactory.Instance).CreateLogger<AccessKeySynchronizer>();`
`38`	`40`	`}`
`39`	`41`
`40`	`42`	`public void AddServiceEndpoint(ServiceEndpoint endpoint)`
`41`	`43`	`{`
`42`	`44`	`if (endpoint.AccessKey is MicrosoftEntraAccessKey key)`
`43`	`45`	`{`
`44`		`- _ = key.UpdateAccessKeyAsync();`
	`46`	`+ _keyMap.TryAdd(key, true);`
`45`	`47`	`}`
`46`		`- _endpoints.TryAdd(endpoint, null);`
`47`	`48`	`}`
`48`	`49`
`49`	`50`	`public void Dispose() => _timer.Stop();`
`50`	`51`
`51`	`52`	`public void UpdateServiceEndpoints(IEnumerable<ServiceEndpoint> endpoints)`
`52`	`53`	`{`
`53`		`- _endpoints.Clear();`
	`54`	`+ _keyMap.Clear();`
`54`	`55`	`foreach (var endpoint in endpoints)`
`55`	`56`	`{`
`56`	`57`	`AddServiceEndpoint(endpoint);`
`57`	`58`	`}`
`58`	`59`	`}`
`59`	`60`
`60`		`- internal bool ContainsServiceEndpoint(ServiceEndpoint e) => _endpoints.ContainsKey(e);`
	`61`	`+ /// <summary>`
	`62`	`+ /// Test only`
	`63`	`+ /// </summary>`
	`64`	`+ /// <param name="e"></param>`
	`65`	`+ /// <returns></returns>`
	`66`	`+ internal bool ContainsKey(ServiceEndpoint e) => _keyMap.ContainsKey(e.AccessKey as MicrosoftEntraAccessKey);`
`61`	`67`
`62`		`- internal int ServiceEndpointsCount() => _endpoints.Count;`
	`68`	`+ /// <summary>`
	`69`	`+ /// Test only`
	`70`	`+ /// </summary>`
	`71`	`+ /// <returns></returns>`
	`72`	`+ internal int Count() => _keyMap.Count;`
`63`	`73`
`64`		`- private async Task UpdateAccessKeyAsync()`
	`74`	`+ private async Task UpdateAllAccessKeyAsync()`
`65`	`75`	`{`
`66`	`76`	`using (_timer)`
`67`	`77`	`{`
`68`	`78`	`_timer.Start();`
`69`	`79`
`70`	`80`	`while (await _timer)`
`71`	`81`	`{`
`72`		`- foreach (var key in AccessKeyForMicrosoftEntraList)`
	`82`	`+ foreach (var key in InitializedKeyList)`
`73`	`83`	`{`
`74`		`- _ = key.UpdateAccessKeyAsync();`
	`84`	`+ var source = new CancellationTokenSource(Constants.Periods.DefaultUpdateAccessKeyTimeout);`
	`85`	`+ _ = key.UpdateAccessKeyAsync(source.Token);`
`75`	`86`	`}`
`76`	`87`	`}`
`77`	`88`	`}`
`78`	`89`	`}`
`79`	`90`
`80`		`- private sealed class ReferenceEqualityComparer : IEqualityComparer<ServiceEndpoint>`
	`91`	`+ private sealed class ReferenceEqualityComparer : IEqualityComparer<MicrosoftEntraAccessKey>`
`81`	`92`	`{`
`82`	`93`	`internal static readonly ReferenceEqualityComparer Instance = new ReferenceEqualityComparer();`
`83`	`94`
`84`	`95`	`private ReferenceEqualityComparer()`
`85`	`96`	`{`
`86`	`97`	`}`
`87`	`98`
`88`		`- public bool Equals(ServiceEndpoint x, ServiceEndpoint y)`
	`99`	`+ public bool Equals(MicrosoftEntraAccessKey x, MicrosoftEntraAccessKey y)`
`89`	`100`	`{`
`90`	`101`	`return ReferenceEquals(x, y);`
`91`	`102`	`}`
`92`	`103`
`93`		`- public int GetHashCode(ServiceEndpoint obj)`
	`104`	`+ public int GetHashCode(MicrosoftEntraAccessKey obj)`
`94`	`105`	`{`
`95`	`106`	`return RuntimeHelpers.GetHashCode(obj);`
`96`	`107`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,10 @@ internal class MicrosoftEntraAccessKey : IAccessKey`
`24`	`24`	`{`
`25`	`25`	`internal static readonly TimeSpan GetAccessKeyTimeout = TimeSpan.FromSeconds(100);`
`26`	`26`
	`27`	`+ private const int UpdateTaskIdle = 0;`
	`28`	`+`
	`29`	`+ private const int UpdateTaskRunning = 1;`
	`30`	`+`
`27`	`31`	`private const int GetAccessKeyMaxRetryTimes = 3;`
`28`	`32`
`29`	`33`	`private const int GetMicrosoftEntraTokenMaxRetryTimes = 3;`
`@@ -36,10 +40,12 @@ internal class MicrosoftEntraAccessKey : IAccessKey`
`36`	`40`
`37`	`41`	`private static readonly TimeSpan AccessKeyExpireTime = TimeSpan.FromMinutes(120);`
`38`	`42`
`39`		`- private readonly TaskCompletionSource<object?> _initializedTcs = new TaskCompletionSource<object?>(TaskCreationOptions.RunContinuationsAsynchronously);`
	`43`	`+ private readonly TaskCompletionSource<object?> _initializedTcs = new(TaskCreationOptions.RunContinuationsAsynchronously);`
`40`	`44`
`41`	`45`	`private readonly IHttpClientFactory _httpClientFactory;`
`42`	`46`
	`47`	`+ private volatile int _updateState = 0;`
	`48`	`+`
`43`	`49`	`private volatile bool _isAuthorized = false;`
`44`	`50`
`45`	`51`	`private DateTime _updateAt = DateTime.MinValue;`
`@@ -48,6 +54,8 @@ internal class MicrosoftEntraAccessKey : IAccessKey`
`48`	`54`
`49`	`55`	`private volatile byte[]? _keyBytes;`
`50`	`56`
	`57`	`+ public bool Initialized => _initializedTcs.Task.IsCompleted;`
	`58`	`+`
`51`	`59`	`public bool Available`
`52`	`60`	`{`
`53`	`61`	`get => _isAuthorized && DateTime.UtcNow - _updateAt < AccessKeyExpireTime;`
`@@ -116,6 +124,12 @@ public async Task<string> GenerateAccessTokenAsync(string audience,`
`116`	`124`	`AccessTokenAlgorithm algorithm,`
`117`	`125`	`CancellationToken ctoken = default)`
`118`	`126`	`{`
	`127`	`+ if (!_initializedTcs.Task.IsCompleted)`
	`128`	`+ {`
	`129`	`+ var source = new CancellationTokenSource(Constants.Periods.DefaultUpdateAccessKeyTimeout);`
	`130`	`+ _ = UpdateAccessKeyAsync(source.Token);`
	`131`	`+ }`
	`132`	`+`
`119`	`133`	`await _initializedTcs.Task.OrCancelAsync(ctoken, "The access key initialization timed out.");`
`120`	`134`
`121`	`135`	`return Available`
`@@ -142,26 +156,35 @@ internal async Task UpdateAccessKeyAsync(CancellationToken ctoken = default)`
`142`	`156`	`return;`
`143`	`157`	`}`
`144`	`158`
	`159`	`+ if (Interlocked.CompareExchange(ref _updateState, UpdateTaskRunning, UpdateTaskIdle) != UpdateTaskIdle)`
	`160`	`+ {`
	`161`	`+ return;`
	`162`	`+ }`
	`163`	`+`
`145`	`164`	`for (var i = 0; i < GetAccessKeyMaxRetryTimes; i++)`
`146`	`165`	`{`
	`166`	`+ if (ctoken.IsCancellationRequested)`
	`167`	`+ {`
	`168`	`+ break;`
	`169`	`+ }`
	`170`	`+`
`147`	`171`	`var source = new CancellationTokenSource(GetAccessKeyTimeout);`
`148`		`- var linkedSource = CancellationTokenSource.CreateLinkedTokenSource(source.Token, ctoken);`
`149`	`172`	`try`
`150`	`173`	`{`
`151`		`- await UpdateAccessKeyInternalAsync(linkedSource.Token);`
	`174`	`+ await UpdateAccessKeyInternalAsync(source.Token).OrCancelAsync(ctoken);`
	`175`	`+ Interlocked.Exchange(ref _updateState, UpdateTaskIdle);`
`152`	`176`	`return;`
`153`	`177`	`}`
`154`	`178`	`catch (OperationCanceledException e)`
`155`	`179`	`{`
`156`		`- LastException = e;`
`157`		`- break;`
	`180`	`+ LastException = e; // retry immediately`
`158`	`181`	`}`
`159`	`182`	`catch (Exception e)`
`160`	`183`	`{`
`161`	`184`	`LastException = e;`
`162`	`185`	`try`
`163`	`186`	`{`
`164`		`- await Task.Delay(GetAccessKeyRetryInterval, ctoken);`
	`187`	`+ await Task.Delay(GetAccessKeyRetryInterval, ctoken); // retry after interval.`
`165`	`188`	`}`
`166`	`189`	`catch (OperationCanceledException)`
`167`	`190`	`{`
`@@ -175,6 +198,7 @@ internal async Task UpdateAccessKeyAsync(CancellationToken ctoken = default)`
`175`	`198`	`// Update the status only when it becomes "not available" due to expiration to refresh updateAt.`
`176`	`199`	`Available = false;`
`177`	`200`	`}`
	`201`	`+ Interlocked.Exchange(ref _updateState, UpdateTaskIdle);`
`178`	`202`	`}`
`179`	`203`
`180`	`204`	`private static string GetExceptionMessage(Exception? exception)`
`@@ -232,11 +256,11 @@ private async Task UpdateAccessKeyInternalAsync(CancellationToken ctoken)`
`232`	`256`	`await ThrowExceptionOnResponseFailureAsync(request, response);`
`233`	`257`	`}`
`234`	`258`
`235`		`- private async Task<bool> HandleHttpResponseAsync(HttpResponseMessage response)`
	`259`	`+ private async Task HandleHttpResponseAsync(HttpResponseMessage response)`
`236`	`260`	`{`
`237`	`261`	`if (response.StatusCode != HttpStatusCode.OK)`
`238`	`262`	`{`
`239`		`- return false;`
	`263`	`+ return;`
`240`	`264`	`}`
`241`	`265`
`242`	`266`	`var content = await response.Content.ReadAsStringAsync();`
`@@ -250,8 +274,6 @@ private async Task<bool> HandleHttpResponseAsync(HttpResponseMessage response)`
`250`	`274`	`{`
`251`	`275`	`throw new AzureSignalRException("Missing required <AccessKey> field.");`
`252`	`276`	`}`
`253`		`-`
`254`	`277`	`UpdateAccessKey(obj.KeyId, obj.AccessKey);`
`255`		`- return true;`
`256`	`278`	`}`
`257`	`279`	`}`