1

I'm following this guide to create an invite policy that accepts an email address in the form of a JWT token via the id_token_hint query parameter.

Per this guide, I'm required to create a PrivateKey/PublicKey pair in my application and expose a .well-known/openid-configuration endpoint, that the policy uses to read the public key to verify the id_token_hint.

I was wondering whether there is a better way to manage my keys. Something along the lines of a service that exposes an endpoint for singing a message, and also an endpoint that is similar to .well-known/openid-configuration for reading the public key.

I read about an Azure service that is called Azure Key-Vault, which is similar to what I want, but doesn't map exactly from what I read so far. Specifically, I couldn't find an endpoint that exposes the public key in a JWKS format.

Do you have a solution?

user10962730
  • 979
  • 1
  • 7
  • 15
  • 1
    you can manage your certificate inside keyvault / map it your your webapp then expose inside your webapp the open-id config endpoint. There is no out of the box openid-config endpoint. – Thomas Jul 07 '19 at 08:51
  • @Thomas Thank you for your answer. Can you give an example of how to sign the JWT token? Today, I give the signing key (private) to the constructor, but I want to avoid it, and use `SignAsync` of KeyVaultClient instead, if possible. – user10962730 Jul 07 '19 at 15:47
  • 1
    Not sure how to implement that as the `JwtSecurityToken` is taking care of everything. I am guessing you can otherwise import the cert form kv to app service then use it as local cert or maybe get the cert from KV ? not sure if KV will send the private key btw – Thomas Jul 07 '19 at 23:15
  • @Thomas I've opened a separate post about it. https://stackoverflow.com/questions/56929205/azure-keyvault-sign-jwt-token Thank you for your help so far. – user10962730 Jul 08 '19 at 06:09

0 Answers0