As per some articles I have read AddJwtBearer() in .net core caches the keys in the OIDC provider's discovery document and use it to validate the authentication token in the request. As per the following article https://zhiliaxu.github.io/how-do-aspnet-core-services-validate-jwt-signature-signed-by-aad.html#configuration it fetch the keys once and cache them. But my question is if server change it's certificate how could API application subscribe to it. Thank you.
Asked
Active
Viewed 172 times
1 Answers
0
By default, AddJwtBearer till reload the signing keys every 24 hours. This time can be configured if you like using code like this:
.AddMyJwtBearer(opt =>
{
opt.AutomaticRefreshInterval = new TimeSpan(1, 0, 0, 0);
opt.BackchannelTimeout = new TimeSpan(0, 0, 10); //10 seconds
}
There is no mechanism today to subscribe to signing key changes in the OIDC provider. but you should usually not need that. In many OIDC system the old "signing" keys sticks around for a while to allow validation for existing keys in the system. That means that there is one key for signing new tokens and the old keys are used to validate existing signed tokens.
Hopefully this article can explain this even better: https://brockallen.com/2019/08/09/identityserver-and-signing-key-rotation/
Tore Nestenius
- 16,431
- 5
- 30
- 40