Key rollover conducted on Aug 1st 2016
On Aug 1st 2016, we rolled over the keys used to sign JWT tokens issued by Azure AD B2C. This is a part of our ongoing efforts to deliver a secure identity service. Please read on, as this note has important calls to action to ensure that this change causes no disruption to your apps or your end users.
What is key rollover?
Azure AD B2C uses a token signing key (in adherence to OpenID Connect and other standard protocols) to sign data (in our case, the end user’s identity token). Key rollover is the process of transitioning from one key to another. Regular rotation of keys helps improve the security posture of both the service and your apps.
The mechanics
Azure AD B2C advertises the public portion of the key at this endpoint: https://login.microsoftonline.com/<YourTenantName>.onmicrosoft.com/discovery/keys?p=<YourPolicyId>. Your app (more specifically, the OpenID Connect-libraries that your app uses) verifies the authenticity of any incoming user token using this information. During key rollover, we advertise two keys – the key currently in use, and the key that we are going to use in the future. The old key will removed after a period of time (usually, a week); in this case, on Aug 8th 2016. We plan to roll over keys on a regular cadence.
What do you need to do?
Most popular OpenID Connect-libraries, including Microsoft’s .NET library – Microsoft.Owin.Security.OpenIdConnect, already have built-in mechanisms for handling key rollover seamlessly. Make sure to check your library’s documentation to ensure that it handles “issuer key rollover”. If it doesn’t, you’ll have to switch to a library that does handle it for your platform of choice.
Help
In case of any Qs, please use the comments section or email us at aaddev@microsoft.com.