Layer7 API Management

  • Private Community

  • 1.  How to handle azure AD rolling keys for oauth 2.0

    Posted Oct 04, 2017 04:47 AM

    Our organisation is planning to use Azure AD as IDP for api's we expose on the APIGW.
    An application on the internet, will acquire an Azure AD oauth token, and authorize towards the API gateway using it.

     

    JWS tokens are quite easy to verify on the APIGW. However i am looking for information on handling the rolling signing keys Azure AD uses:

    Signing Key Rollover in Azure AD | Microsoft Docs 



  • 2.  Re: How to handle azure AD rolling keys for oauth 2.0

    Broadcom Employee
    Posted Oct 04, 2017 12:53 PM

    I havent found any usecases in our system specific to this but I do know Azure Ad in general has been put into a Gateway Feature request so converting this to an idea might be the wise.

    Seems the Gateway feature request identifier would be F28201.

    Thanks.



  • 3.  Re: How to handle azure AD rolling keys for oauth 2.0

    Posted Oct 06, 2017 02:29 AM

    Ah, yes i can describe our use case.

     

    Our internal AD is replicated towards Azure AD. All our staff is available in Azure AD also, for logon to the microsoft office cloud solutions.

    Now when we are building mobile apps for use by staff members, we want to leverage Azure AD for authentication.
    Using the Azure AD, the mobile apps can obtain an oauth token.
    Then these mobile apps can call api's that are hosted on our internal infrastructure on premise and protected/authenticated by the CA API Gateway.

     

    In this case, Azure AD is the IDP/authorization server, and the API GW is the resource provider.

     

    To put this in an idea, i have to refer to F28201, do i just put it in the text somewhere?



  • 4.  Re: How to handle azure AD rolling keys for oauth 2.0
    Best Answer

    Broadcom Employee
    Posted Oct 08, 2017 08:51 PM

    Dear DimitriDemeer82305080 ,

    You might think of using/customizing OTK User Authentication, Support Optional Authentication Mechanisms - CA API Management OAuth Toolkit - 3.6 - CA Technologies Documentation 

     

    Regards,

    Mark



  • 5.  Re: How to handle azure AD rolling keys for oauth 2.0

    Posted Oct 09, 2017 04:00 AM

    Mark,

     

    Thanks for the link, it will certainly be useful in many cases. In this case perhaps it is a bit much, but perhaps i misunderstand how it works?

    The JSON web tokens Azure AD creates can be validated just by their signatures, so there is no need for an active IDP link. The only problem is that Microsoft uses many kid (key id) in their JSON Web tokens, and so we have to keep downloading new public keys, which can switch at any moment in time dynamically.


    I was thinking of building something to store the public keys inside the local cache in memory. But i do not know if that is a good idea, or whether there are better options for storing these Microsoft signer keys.



  • 6.  Re: How to handle azure AD rolling keys for oauth 2.0

    Posted Jun 07, 2018 12:47 AM

    Can I ask what did you ended up building for key rotation?