Last post Oct 08, 2019 03:24 AM by Nan Yu
Sep 27, 2019 03:45 PM|CraigBurton|LINK
Setup is asp.net Web API, using Microsoft.Owin.Security.Jwt. Configured to allow UseJwtBearerAuthentication with JwtBearerAuthenticationOptions with a single SymmetricKeyIssuerSecurityKeyProvider, with a given secret (currently provided in config on startup).
It is also providing those JWTs (System.IdentityModel.Tokens.Jwt.JwtSecurityToken), signing those in an ISecureDataFormat.Protect method with a new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey from that same secret.
That works OK. However, best practice appears to be to rotate that signing secret periodically. I've failed to search up any indication on how best to do this. I can change the secret in the Protect method (signing the JWT in the first place) readily, but
all I can see for changing the secret on the receiving/validation side is to possibly add a new SymmetricKeyIssuerSecurityKeyProvider with the new secret (and then probably remove the old secret's keyprovider when it is no longer supported). Is that valid
- so basically changing the list of IssuerSecurityKeyProviders in the JwtBearerAuthenticationOptions? Would that get picked up by the OWIN middleware, or has config been done by then?
And/or any pointers as to how to do this would be much appreciated.
Oct 08, 2019 03:24 AM|Nan Yu|LINK
Hi CraigBurton ,
First of all , you still need to share the secrets to each of the services(issue token, validate token) in a secure way , for example , stores in Azure key vault .
By default , when middleware initializes , it will read the symmetric signing keys from setting ,SymmetricKeyIssuerSecurityKeyProvider or any other provider , cache the keys in needed. To enable the new keys if key store refreshes the keys use some
kind of secret rotation algorithm .You can add a `OnAuthenticationFailed` event to your jwt bearer middleware , confirm the signature validation error , get the new
available keys from your local files/azure key vault , and validate again ,return true/false result accordingly .
Another way is to manually validate the token , not using the jwt bearer middleware . You can validate the token using JwtSecurityTokenHandler :