-
Notifications
You must be signed in to change notification settings - Fork 453
signing key rollover
Jean-Marc Prieur edited this page Oct 29, 2024
·
2 revisions
The algorithm for the signing key rollover is:
The ConfigurationManager<T> class in the AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet repository manages the retrieval of configuration data, including keys from the OIDC endpoint, in a resilient way. Here's a summary of the algorithm used:
- Initialization
The constructor initializes the
ConfigurationManagerwith a metadata address, a configuration retriever, a document retriever, and optional configuration validator and cache options. - Fetching Configuration
The
GetConfigurationAsyncmethod is the entry point for retrieving the configuration. It first checks if the current configuration is up-to-date based on theAutomaticRefreshInterval. If the configuration is null or outdated, it attempts to fetch the configuration from the metadata endpoint. - Synchronization and Singleton Pattern
A semaphore (
_configurationNullLock) ensures that only one thread fetches the configuration when it is null. The_configurationRetrieverStateensures that only one task updates the configuration at a time usingInterlocked.CompareExchange. - Configuration Retrieval
If the configuration is null, it locks the semaphore and fetches the configuration using the
IConfigurationRetriever's GetConfigurationAsyncmethod. If successful, it updates the configuration and validates it using the optionalIConfigurationValidator. - Error Handling
Errors during configuration retrieval are logged, and if the configuration is still null, an exception is thrown. The
UpdateCurrentConfigurationmethod is called asynchronously to update the configuration if needed. - Automatic Refresh
The
RequestRefreshmethod triggers an update if the refresh interval has passed since the last request.
The algorithm ensures resilience by: = Using synchronization mechanisms (semaphore and atomic operations) to prevent race conditions.
- Implementing automatic refresh intervals and on-demand refresh requests.
- Validating the configuration before updating it.
- Logging errors and handling exceptions gracefully.
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions
- Signing key roll over