Nat*_*ann 4 azure jwt azure-active-directory
Azure AD 随机更改 JWT 公共令牌而不发出警告。我可以完全关闭该功能吗?我希望公钥永远不会改变。
Azure AD 签名密钥会定期轮换,有时也会立即轮换。
\n\n请查看相关的 Microsoft 指南:Signing key rollover in Azure Active Directory
\n\n\n\n\nFor security purposes, Azure AD\xe2\x80\x99s signing key rolls on a periodic\n basis and, in the case of an emergency, could be rolled over\n immediately. Any application that integrates with Azure AD should be\n prepared to handle a key rollover event no matter how frequently it\n may occur. If it doesn\xe2\x80\x99t, and your application attempts to use an\n expired key to verify the signature on a token, the sign-in request\n will fail.
\n
In your question you\'ve mentioned "Am I able to turn the functionality off completely? I would like the public key to never change.".
You cannot control this behavior, as explained in the documentation above. Your application needs to be designed so that it can handle this key rotation.
\n\nYou can always get to the latest signing keys using the OpenID Connect discovery document. Look for jwks_uri value.
You can use common endpoints to get to that information or tenant specific endpoints as well.
\n\nAzure AD V1 common endpoint - https://login.microsoftonline.com/common/.well-known/openid-configuration \nAzure AD V2 common endpoint - https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration \nSigning Keys can be found at a URL like
\n\nAzure AD V1 - https://login.microsoftonline.com/common/discovery/keys \nAzure AD V2 - https://login.microsoftonline.com/common/discovery/v2.0/keys\nAgain you could use tenant specific endpoint as well, like
\n\nhttps://login.microsoftonline.com/mytenant.onmicrosoft.com/discovery/keys\nhttps://login.microsoftonline.com/mytenant.onmicrosoft.com/discovery/v2.0/keys\nThe kid value found for keys here will match with the identifier for key that that has been used for signing the token you receive. This you can check in the token header. Example:
{\n "typ": "JWT",\n "alg": "RS256",\n "x5t": "iBjL1Rcqzhiy4fpxIxdZqohM2Yk",\n "kid": "iBjL1Rcqzhiy4fpxIxdZqohM2Yk"\n}\nOn a side note -
\n\nIn case you plan to cache some keys, your app will need to regularly check back for updates and in case of failure, go to endpoint above on demand basis to get the new keys. This Microsoft documentation on validating the signature mentions that
\n\n\nA reasonable frequency to check for updates to the public keys used by\n Azure AD is every 24 hours.
\n
Many times validating tokens explicitly is not even required since Azure AD middleware has built-in capabilities for validating access tokens.
| 归档时间: |
|
| 查看次数: |
5335 次 |
| 最近记录: |