Azure AD B2C - Force Signing Key Rollover for B2C Directory RRS feed

  • Question

  • Hi,

    I'm using Azure B2C as Identity Provider in my application to authenticate users and return ID tokens. The web app then needs to validate the ID token. Web app uses the endpoint "https://{TenantName}.b2clogin.com/{TenantName}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={PolicyName}" to get signing key (among other things) and uses that signing key to validate the tokens.

    I understand from Microsoft's documentation that the signing key can be rolled over at any point so the validating app must cater for change of signing key. Furthermore, there can be more than one signing keys at any time so validation should happen against all the available keys (not just one).

    What I wanted to know is:

    1) Currently when I get the signing key(s), only 1 key is returned. I'm guessing that multiple keys are only supplied when a rollover is in progress?

    2) Is it possible for me to manually force a change of signing key (i.e. force Azure B2C to start using a new signing key and invalidate the previous key altogether)? I'd like to do this first to test that the validation library I use (Microsoft.Owin.Security.Jwt) automatically handles multiple signing keys. And also in case of a breach, can I just change the signing key to invalidate all existing keys and tokens?



    Thursday, May 21, 2020 3:21 AM

All replies

  • I would suggest to post this question on below MS QnA forum as well. Use tag - azure-ad-b2c

    Ask a Question - Microsoft Q&A

    If the response helped, do "Mark as answer" and upvote it
    - Vaibhav

    Thursday, May 21, 2020 8:14 AM
  • Apologies for delayed response smhussam, all the MSDN Azure Forums have been migrated to Microsoft Q&A as our new forums. For follow up on this question or any new questions in future , kindly reach out on Microsoft Q & A. As suggested by Vaibhav, please use azure-ad-b2c tag for this specific question. 

    Wednesday, June 10, 2020 4:36 AM