Sources

MSAL is able to refresh tokens. When the Microsoft identity platform issues a long-lived token, it can send information to the client to refresh the token (refresh_in). The app runs while the old token is valid, but it takes longer for another token acquisition. ... We recommend developers build a process to use the latest MSAL release because authentication is part of app security. Use this practice for libraries under development and improve app resilience. ... Continuous Access Evaluation (CAE) increases application security and resilience with long-lived tokens. With CAE, an access token is revoked based on critical events and policy evaluation, rather than short token lifetimes. For some resource APIs, because risk and policy are evaluated in real time, CAE increases token lifetime up to 28 hours. MSAL refreshes long-lived tokens.

And I don't think you need to avoid MEL, but {ts:208} there are some problems with how it's implemented in PowerShell that I personally believe could be solved and {ts:214} need to be solved by the big guys. Uh, because this is such an important uh this is such an … You've got to set up {ts:286} all these things, you know, configure a billion different resources and you just don't. It's it's it's two steps. The {ts:297} problem is kind of with PowerShell, kind of with how it's been implemented. So, as I said, most … {ts:367} after the other in the same profile, things get weird. They fail, but sometimes they fail silently. So it just {ts:375} doesn't work and it continues to use whatever the previous version of that library was that you were using. In the {ts:381} scenario of the a modules and the MS graph modules, they they are maintained by different teams. they cannot keep up … It's a very bad idea. Functionally {ts:637} that works though. You can get a token. Don't write in VB. It's very bad. That's what it stands {ts:646} for. Okay. So because we don't have a native module that uh abstracts the ML library in a sort of a unified way that … {ts:999} what is happening which is why I don't like it. You know, abstraction is good to a point. If it makes it so that you {ts:1006} can't actually tell what's happening, I think it's detrimental uh for us at the end of the day because as I said, if … {ts:1988} application so that you can retrieve it and that's where credential leakage comes into play and that's why I don't {ts:1992} really like this solution. This can be swapped out for certificate- based authentication as well. Um but you know {ts:1998} the same thing applies there is the potential that that could be leaked as well.

The presentation begins with a brief overview of MSAL, outlining its role in simplifying the authentication process across various platforms. Despite the widespread understanding of MSAL among the audience in 2025, Ben feels compelled to reiterate its foundational aspects before delving into more technical discussions, particularly concerning assembly load context (ALC) issues that arise during its implementation in PowerShell modules like AZ and MS Graph. These modules have incorporated their own versions of MSAL, leading to potential conflicts when users attempt to work with multiple modules in the same session. Ben articulates the frustrations and complications associated with overlapping library versions, outlining scenarios where users encounter silent failures or misleading error messages. He stresses the urgency of addressing these issues through a unified library approach to minimize compatibility problems. This leads to a critical juncture in the lecture where the discussion shifts towards alternatives to MSAL. ... A key takeaway from the session is the notion that while it is technically feasible to write your own authentication logic, it is rarely recommended outside of specific contexts. Ben shares practical examples where developers may feel compelled to create their own solutions. He highlights several authentication flows, including interactive authentication, device code flow, client secret flow, and managed identity scenarios, showcasing both the simplicity and potential pitfalls of custom implementations. ... Uh and then we're going {ts:142} to talk about ALC or assembly load context and essentially why I believe and this is just a personal opinion uh {ts:148} that there are some issues with how we've implemented authentication uh in PowerShell and in the modules that we

The other, and not so obvious issue, is that even when using certificates, the vendors might have opted to implement their own wrapper, instead of leveraging the built-in MSAL methods. While this is an acceptable behavior, Microsoft recommends to stick to using the MSAL methods, as it allows them to implement additional security features on top of the module, such as the ones detailed in Alex Weinert’s session at last year’s Ignite.

## Improved experience using Windows broker (WAM) is now generally available starting 4.52+ The new MSAL WAM is an abstraction layer based on MSAL C++ which fixes a number of issues with the old WAM implementation and provides other benefits. **New applications should use this implementation** (also see WAM limitations). - New implementation is more stable, easier to add new features, less chance of regressions. - Works in apps that are run-as-admin. - Adds support for Proof-of-Possession tokens. - Fixes assembly size issues. … ... Because the netcoreapp3.1 target framework has reached the end of life this past December, our team will no longer offer support for applications using MSAL with the specific version of .NET Core. We recommend upgrading to the latest version of the .NET platform, where possible. ## Parent Window Handles It is now mandatory to tell MSAL the window the interactive experience should be parented to, using ``` WithParentActivityOrWindow ``` APIs. Trying to infer a window is not feasible and in the past, this has led to bad user experience where the auth window is hidden behind the application. … ## Redirect URI WAM redirect URIs do not need to be configured in MSAL, but they must be configured in the app registration. ``` ms-appx-web://microsoft.aad.brokerplugin/{client_id} ``` ## Username / Password flow This flow is not recommended except in test scenarios or in scenarios where service principal access to a resource gives it too much access and you can only scope it down with user flows. When using WAM, ``` AcquireTokenByUsernamePassword ``` will let WAM handle the protocol and fetch tokens. ## WAM limitations - B2C and ADFS authorities aren't supported. MSAL will fall back to a browser. - Available on Windows 10+ and Windows Server 2019+. On Mac, Linux, and earlier versions of Windows, MSAL will fall back to a browser. - WAM Preview is not available on UWP; instead use the old WAM implementation. … ### Advanced topics - High Availability - Token cache serialization - Logging - Exceptions in MSAL - Retry Policy - UiRequired exception classification - State Mismatch Error - Provide your own Httpclient and proxy - Extensibility Points - Clearing the cache - Client Credentials Multi-Tenant guidance - Performance perspectives - Differences between ADAL.NET and MSAL.NET Apps - PowerShell support - Testing apps that use MSAL ... - Proof of Possession (PoP) tokens - Using in Azure functions - Extract info from WWW-Authenticate headers - SPA Authorization Code

### 🐢 Sometimes Performance & Latency Are “Good Enough,” But Not Lightning-Fast From some reports in developer circles, especially with free or low-tier plans, response times can be slow or variable. For example: > “I use railway too, love the experience… but the response time is same as before [on free tier]” Reddit And migrating a Django-based app from Railway, some developers expressed concerns about latency when serving users in far-away regions. Reddit If you expect heavy real-time loads, high concurrency, or global distribution — you might need to pair Railway with other services, or consider more specialized infrastructure. ### 🛡️ Less “Built-in” Security Protections (e.g. Edge, WAF, DDoS Mitigation) Out of the Box A common complaint — especially from folks running backend APIs or services exposed to the internet — is that Railway does *not* provide built-in edge protection, WAF, or DDoS mitigation like some content/CDN platforms do. Reddit One user said they migrated away from Railway after experiencing unexplained latency and unresponsive endpoints under what seemed like mild bot traffic. Reddit In short: while Railway abstracts away infra complexity, that abstraction comes with a trade-off — you may need to add extra layers (CDN, proxy, WAF) yourself if your app needs strong security or resilience.

### No remote dev environments Railway has no remote development with IDE sync. Developers can't code against production-like environments from their local IDE — limiting inner-loop speed for complex stacks.

### But, where can things get complicated with Railway? Everything above makes Railway a practical option if you need speed, flexibility, and a quick way to get your app online. Once you move past the initial setup phase or start running workloads that need to stay up longer term, a few limitations become more noticeable. This section covers the areas that might cause problems depending on how you use the platform. They are not dealbreakers for everyone, but they are important to understand before you commit. **1. Services stop when you exhaust trial credits** Railway gives new users a one-time $5 trial credit. Once that’s used up, your services stop running until you upgrade to a paid plan. This is confirmed in their documentation and applies even if the app was previously live. *Screenshot from Railway Docs showing free trial credit policy* **2. No native worker model** There’s no dedicated background worker type in Railway. If your app needs async processing, background queues, or scheduled tasks running independently, you’ll need to manually set those up as standalone services. This works, but it requires more setup and ongoing management. **3. Cron support is functional but has some limitations** Railway’s updated cron experience avoids full redeploys for every job and makes scheduling faster, but it still comes with limits. You can’t pass dynamic parameters into jobs, and there’s no native support for things like variable input or environment-aware execution. If your cron tasks are simple, it’ll get the job done, but for anything more flexible or state-dependent, you’ll need workarounds like custom variables or external schedulers. … **1. Per-user pricing adds up on teams** Each additional team member incurs an extra cost, regardless of their individual resource usage. While this is manageable for small teams, expenses can escalate significantly as your team expands. *Render’s pricing per user* **2. Monthly build minute quotas can be limiting** Render sets monthly limits on build minutes - 500 per month on the Hobby plan, and 500 per member on Professional workspaces (shared across the team). If you deploy often or run multiple CI workflows, you might run through those minutes quickly, especially in active development cycles.

There's only two modes. It's hard problems doing hard things. We want to make it as cheap as possible in both time and money. Saving you a ton of time to go and spin up these things and then only paying for what you actually use when you're going and doing that. We want you to spend as little time as possible on the kind of configuration, drudge work, etc. … You can just do it yourself. ... And our conversation gets into how they solve the hardest problems in dev tools and the importance of back-end infrastructure in AI native software. In the age of AI, there's a very very material risk of being out executed by your competitors because they are moving so quickly. … I think this will be fun. really quick for people who don't know I've heard railway described as solving the hardest problem in dev tools what what is that actually and then what is what is railway yeah so I think it's like the intersection of a lot of hard problems and so that's what makes it quite difficult so we are really … So there's a lot of hard problems in between whether they're user experience problems, infrastructure problems, configuration management problems, versioning, deployment, rollouts, kind of stuff like that, live infrastructure. So pre- railway, what was I doing to do all this stuff? Like what did the world kind of look like? ... So we were kind of the thing that I started with was like databases right? And so databases are actually pretty hard like stable storage ends up being actually quite difficult on the you know almost like iceberg of like complicated infrastructure things right because you know people have data in their databases and if you lose the data in your database then you have a terrible time or whatever right so I started with that um because I … I just want to move a lot quicker right and so our as our capability kind of gets significantly better and better and better and those people wanting to deploy faster and faster and faster we're reaching this kind of inflection point where most people are actually almost capitulating out of that like older mechanism of like building software and moving into the realm of the thing that we've built right so That's super cool because I think for a long while we're building a thing and you know we we go and like pitch it to like VCs and they'd be like well like you know what problem is it solving? It's like well software infrastructure sucks right and you're like yeah but like you know tell me more about this thing right and now it's people want to move significantly quicker and in the age of AI there's almost like a very very material risk of like being out executed by your competitors because they are moving so quickly and if you don't have … sp internally and so they ran into essentially this like platform team edge of like this team potentially internally that you know manages all of the this tooling they've exposed them in various different ways that ends up being cumbersome and that's through no fault of the platform tooling that's like actually the under the underlying infrastructure like the the infrastructure that they are trying to abstract is very very difficult and in my opinion is like almost unobstructable. … So it was like really really poorly fleshed out in in general.

Once you have an idea and some code ready, the next big question is: *how do you get it running in the real world?* For individual developers, freelancers, or students, setting up servers and managing infrastructure can feel overwhelming. For startups and SMEs, the challenge lies in speed—how quickly can you launch and scale without hiring a full DevOps team? … ### Auto-scaling & Performance Railway allows both vertical scaling (adding more CPU/RAM) and horizontal scaling (replicas). Small projects can start lean, but when traffic spikes, scaling is just a click away. Startups benefit from not having to overpay for unused infrastructure. … ## Conclusion Railway isn’t a “magic solution,” but it addresses one of the biggest bottlenecks for developers, startups, SMEs, and students: **deploying applications quickly, simply, and with room to scale**. By combining infrastructure, databases, networking, scaling, logging, and templates into one platform, Railway lets you focus on building products instead of managing servers. Whether you’re a solo developer, a startup testing ideas, or a student group learning deployment, Railway is a practical and modern choice in 2025.

- Why were they making CDN changes in prod? With their 100M funding recently they could afford a separate env to test CDN changes. Did their engineering team even properly understand surrogate keys to feel confident to roll out a change in prod? I don't think they're beating the AI allegations to figure out CDN configs, a human would not be this confident to test surrogate keys in prod. ... - They didn't immediately notify customers about the security incident (people learned from their users). The apparently have emailed affected customers only, many hours after. Some people that were affected that still haven't been emailed, and they seem to be radio silent lately. - Their founder on twitter keeps using their growth as an excuse for their shoddy engineering, especially lately. Their uptime for what's supposed to be a serious production platform is abysmal, they've clearly prioritised pushing features over reliability https://status.railway.com/ and the issues I've outlined here have little to do with growth, and more to do with company culture. … ... > Their forum is also getting heated, customers have lost revenue, had medical data leaked etc., with no proper followup from the railway team … ... You can't just keep saying you're open to feedback and being transparent as vanity. There's plenty of feedback on here, your twitter, your forum, and feedback is people are telling you to focus on reliability, because railway keeps breaking their deployments. If you don't care about reliability and prefer to scale with features, be honest about it. Railway's poor uptime does not lie. … By way that's only one forum post, there are many that are just ignored, one where a user mentioned they're reporting railway to ICO for a GDPR breach, rightfully. We do indeed have a staging environment as mentioned previously. The issue arose in the rollout to production as mentioned previously.

**❌ Fly.io Cons** - Steeper learning curve than Railway - Requires understanding of fly.toml configuration - No managed Redis or MySQL - Documentation can be inconsistent - Occasional platform stability issues reported by users - No serverless cron jobs built-in