I've configured my key vault with a key called Azure--ClientSecret, which is fetched by the Key Vault configuration provider and given the key name Azure:ClientSecret recognized by Azure.Identity.

Now, the issue is that if I use a single instance of AzureDefaultCredential, then reloads of the client secret from Azure Key Vault are not picked up, so eventually the aplication starts to fail due to an expired client secret.

I have tried to look for Azure.Identity's source code to figure out, when the client secret is loaded. I'm not sure whether it's loaded by EnableTokenAcquisitionToCallDownstreamApi() or by DefaultAzureCredential()?

In case, it's loaded by DefaultAzureCredential(), should I then construct it for every request to the API (e.g. within a scoped service)? If so, then I don't really benefit from the in-memory caching of tokens between requests (AddInMemoryTokenCaches())?

AddAzureKeyVault():

builder.Configuration.AddAzureKeyVault(
    new SecretClient(
        new Uri(vaultUri),
        new DefaultAzureCredential(new DefaultAzureCredentialOptions() { ExcludeSharedTokenCacheCredential = true })
    ),
    new AzureKeyVaultConfigurationOptions
    {
        ReloadInterval = TimeSpan.FromHours(12)
    }
);

AddAuthentication():

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(builder.Configuration, "AzureAd")
    .EnableTokenAcquisitionToCallDownstreamApi()
    .AddInMemoryTokenCaches();