-
Notifications
You must be signed in to change notification settings - Fork 408
Resilience on metadata refresh
This document highlights the best practices for refreshing stale metadata across ASP.NET Core, ASP.NET FW, and Microsoft.IdentityModel.
Recommended: Use latest version 6.10.0+ and follow the metadata guidance.
Code Sample:
ConfigurationManager<OpenIdConnectConfiguration> configManager =
new ConfigurationManager<OpenIdConnectConfiguration>("http://someaddress.com",
new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration config = await configManager.GetConfigurationAsync().ConfigureAwait(false);
TokenValidationParameters validationParameters = new TokenValidationParameters()
{
…
IssuerSigningKeys = config.SigningKeys;
…
}
JsonWebTokenHandler tokenHandler = new JsonWebTokenHandler();
result = Handler.ValidateToken(jwtToken, validationParameters);
if (result.Exception != null && result.Exception is SecurityTokenSignatureKeyNotFoundException)
{
configManager.RequestRefresh();
config = await configManager.GetConfigurationAsync().ConfigureAwait(false);
validationParameters = new TokenValidationParameters()
{
…
IssuerSigningKeys = config.SigningKeys,
…
};
// attempt to validate token again after refresh
result = Handler.ValidateToken(jwtToken, validationParameters);
}Recommended: Use latest Wilson (6.10.0+) and manually ensure that you follow the guidelines above.
Ensure that JwtBearerOptions.RefreshOnIssuerKeyNotFound is set to true, and that you are using the latest Microsoft.IdentityModel.* library. This should be enabled by default. All 1p should use SAL with asp.net core.
services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
{
…
// shouldn’t be necessary as it’s true by default
options.RefreshOnIssuerKeyNotFound = true;
…
};Note: ASP.NET/OWIN is in maintenance mode. Recommended: Use latest Wilson (6.10.0+) and manually ensure that you follow the guidelines above.
OWIN has an automatic 24 hour refresh interval for the OpenIdConnectConfiguration. This refresh will only be triggered if a request is received after the 24 hour time span has passed. As far as we know, there is no way to change this value or trigger a refresh early, aside from restarting the application.
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions
- Signing key roll over