Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Enable several JWE decrypt keys to help handling certificate rotations #72

Closed
jmprieur opened this issue Mar 31, 2020 · 6 comments
Closed

[Feature Request] Enable several JWE decrypt keys to help handling certificate rotations #72

jmprieur opened this issue Mar 31, 2020 · 6 comments
Assignees
@jmprieur
Labels
API-breaking-change duplicate This issue or pull request already exists enhancement New feature or request scenario: improved-security web api
Milestone
0.1.5-preview

Comments

@jmprieur
Copy link
Collaborator

jmprieur commented Mar 31, 2020
edited
Loading

Is your feature request related to a problem? Please describe.
We need to help partners using JWE to handle certificate rotation. Today,

microsoft-identity-web/src/Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs

Line 67 in 14b5a41

public static AuthenticationBuilder AddProtectedWebApi(

takes one certificate, which is used as an entry to TokenValidationParameters.

microsoft-identity-web/src/Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs

Lines 108 to 111 in 14b5a41

if (tokenDecryptionCertificate != null)
{
options.TokenValidationParameters.TokenDecryptionKey = new X509SecurityKey(tokenDecryptionCertificate);
}

Describe the solution you'd like
When the certificates are rotated, we'd like to pass several certificates and:

  • either try to decryp with one, and if this does not work try the other
  • or implement a TokenDecryptionKeyResolver that inspects the JWT token header for the encrypt cert thumbprint and then return the corresponding encrypt cert for decrypting the token.

See also https://github.com/AzureAD/microsoft-identity-web/wiki/Spec-certificates

See also SNI: AzureAD/microsoft-authentication-library-for-python#60
@jmprieur jmprieur added the enhancement New feature or request label Mar 31, 2020
@jmprieur
Copy link
Collaborator Author

cc: @brentschmaltz @henrik-me

@henrik-me
Copy link
Contributor

@jmprieur : I'm thinking most of this support should be in IdentityModel and not in Identity.Web.

@jmprieur
Copy link
Collaborator Author

jmprieur commented Apr 3, 2020

note that the JWE header contains the kid:

    "kid": "value of inUseEncryptionKeyId"

@brentschmaltz
Copy link
Member

@jmprieur @henrik-me with the KeyVaultExtensions in IdentityModel we could have a really simple model for users to use KeyVault to do the direct decryption. This requires a off-box call, FOR EACH decrytpion, but with ManagedIdentities, this would be excellent.
We could also use SymmetricKey with KeyWrap, in this scenario KeyVault would be contacted once for a SymmetricKey that is used. For added security we could start using derived keys.

To hook up KeyVault, we would need an api somewhere to put the KeyVault url.
IdentityModel has a KeyVaultSecurityKey that hides all the details.

@jmprieur jmprieur mentioned this issue May 15, 2020
Closed
@jennyf19 jennyf19 added this to the 0.1.5-preview milestone May 22, 2020
@jmprieur
Copy link
Collaborator Author

Duplicate of #165

@jmprieur jmprieur marked this as a duplicate of #165 Jun 10, 2020
@jmprieur jmprieur added the duplicate This issue or pull request already exists label Jun 10, 2020
@jmprieur jmprieur self-assigned this Jun 11, 2020
@jmprieur
Copy link
Collaborator Author

This is done in #165
However we need to deprecate the API. Proposing to do it at the same time as #193
Closing as a duplicate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmprieur jmprieur

Labels
API-breaking-change duplicate This issue or pull request already exists enhancement New feature or request scenario: improved-security web api
Projects
None yet
Milestone
0.1.5-preview
Development

No branches or pull requests
4 participants
@brentschmaltz @jmprieur @jennyf19 @henrik-me