none
Might certification (key) of Azure Active Directory be changed?

    Question

  • Hi.

    Though I get key from https://login.microsoftonline.com/common/discovery/keys for the verification of the access token, might this key be changed?

    Response time is too high due to access to this address every time to get key.

    I want to get key from this address just once when the server starts.

    Regards

    Tuesday, April 18, 2017 11:48 AM

Answers

  • Yes, the keys can and will be changed. And they have been changed before.

    You don't need to retrieve the keys URL on every request. You can cache it.

    The JWT tokens have a field called "x5t" that identifies the key that signed them. If your cache doesn't contain the key with which a JWT token was signed, then you can update the cache and check again.

    • Marked as answer by aktaka Thursday, July 6, 2017 6:04 AM
    Wednesday, April 19, 2017 6:58 AM