microsoft-identity-web icon indicating copy to clipboard operation
microsoft-identity-web copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Bug] configuring multiple decryption certificates when rotating a cert

Open husseinkorly opened this issue 2 years ago • 0 comments

Which version of Microsoft Identity Web are you using? 1.14.0

Where is the issue?

  • Web app
    • [ ] Sign-in users
    • [ ] Sign-in users and call web APIs
  • Web API
    • [x] Protected web APIs (validating tokens)
    • [ ] Protected web APIs (validating scopes)
    • [ ] Protected web APIs call downstream web APIs
  • Token cache serialization
    • [ ] In-memory caches
    • [ ] Session caches
    • [ ] Distributed caches
  • Other (please describe)

Is this a new or an existing app? The function app is in production, and we were trying to renew the decryption cert thru adding the new cert to the configuration:

"AzureAd:ClientId": "c4cda440-adb6-4d17-a426-2dfee165dbaf",
"AzureAd:TokenDecryptionCertificates:0:SourceType": "StoreWithThumbprint",
"AzureAd:TokenDecryptionCertificates:0:CertificateStorePath": "LocalMachine/My",
"AzureAd:TokenDecryptionCertificates:0:CertificateThumbprint": "962D129A...D18EFEB6961684", 

"AzureAd:TokenDecryptionCertificates:1:SourceType": "StoreWithThumbprint",
"AzureAd:TokenDecryptionCertificates:1:CertificateStorePath": "LocalMachine/My",
"AzureAd:TokenDecryptionCertificates:1:CertificateThumbprint": "962D129A...D18EFEB6960000",

Expected behavior The library will try to use both certificates to decrypt the token.

Actual behavior It is only trying to decrypt the token using the first certificate and authentication fails if the first cert is not valid.

Possible solution we have another service where we don't use the package, but we configure the identity model with list of decryption keys and it works fine, so we're expecting it to behave the same way.

TokenDecryptionKeys = new List<X509SecurityKey>
                    {
                        new X509SecurityKey(CertificateHelper.FindCertificateByThumbprint(primaryDecryptionThumbprint)),
                        string.IsNullOrEmpty(secondaryDecryptionThumbprint)
                            ? null
                            : new X509SecurityKey(CertificateHelper.FindCertificateByThumbprint(secondaryDecryptionThumbprint))
                    },

husseinkorly avatar Jan 04 '22 19:01 husseinkorly