-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Specifying multiple decryption certificates #1243
Comments
@husseinkorly are you saying this is a regression? |
I think I understand what happens. We should only do the yield: microsoft-identity-web/src/Microsoft.Identity.Web/CertificateManagement/DefaultCertificateLoader.cs Line 307 in 37471e7
when |
@jmprieur I never tested this functionality before until we're getting close to renewing the decryption cert for one of our services. I was hopping to add the new cert as another decryption cert and switch it in the portal (first-party). |
@jennyf19 is working on a fix. |
Thank you. I tried using version 1.9.2 but the API still failing to decrypt the token. |
Can you tell us more about the exception? https://github.com/AzureAD/microsoft-identity-web/wiki/Logging |
I pulled the new changes in master and I still see the same issue. I am using 2 decryption certificates. One of them is a valid certificate (used to encrypt) and another one that still valid but not used to encrypt the token. I see the API still returning 401 and I don't see any exceptions being logged. I think it's related to this issue with identityModel package that doesn't accept a list of decryption keys. |
@husseinkorly they both have to be decryption certs, not encryption certs. See this page -> if you're using a client credential certificate, like instead of a secret, a cert, it can go in the configuration. |
Yes. I am only interested in the decryption cert I have both in the configuration like this for example: "TokenDecryptionCertificates": [
{
"SourceType": "StoreWithThumbprint",
"CertificateStorePath": "LocalMachine/My",
"CertificateThumbprint": "962D129A...D18EFEB6961684"
},
{
"SourceType": "StoreWithThumbprint",
"CertificateStorePath": "LocalMachine/My",
"CertificateThumbprint": "962D129A...D18EFEB6960000"
}
] One of them is a valid decryption cert (where I have the .pfx installed in my local machine) and it can decrypt the token just fine, but when I add another cert (I also have the .pfx installed locally) to the list that's just any other cert the API start returning 401. |
@husseinkorly do both certs work independently? like one at a time, do they both work? |
Only one cert can be configured in AAD, but I was assuming if we can have 2 certs and it will use the valid one. This can be useful to rotate the decryption certs without any downtime. We can add the new cert to the configuration, replace it in AAD, and remove the the old one from configuration. |
@husseinkorly : provided they are both decrypt certificates, this should work. Line 222 in 6b506eb
|
@jmprieur - Yes, this should work in IdentityModel >=6.8.0. |
Fixed in 1.13 release. but seems to be an issue still with other components. @jmprieur |
Included in 1.14 release |
@jennyf19 @jmprieur We have other services where we pass multiple certificates, and identity model will try to all the available keys to decrypt the cert I am using version 1.14.0 |
Which version of Microsoft Identity Web are you using?
1.12.0
Where is the issue?
Is this a new or an existing app?
The app is in production and I have upgraded to a new version of Microsoft Identity Web.
Repro
Configuring multiple certificates for decryption and only one of them is valid and it can be used.
Expected behavior
A valid certificate (from list of certificates) will be used to decrypt incoming tokens
Actual behavior
Fails to decrypt a token if any of the provided certificate is invalid
Possible solution
Try to decrypt the token with any valid certificate provided.
Additional context / logs / screenshots
n/a
The text was updated successfully, but these errors were encountered: