Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure active directory JWT Public key changing

Tags:

jwt

azure

azure-active-directory

Azure AD randomly changes the JWT public token without warning. Am I able to turn the functionality off completely? I would like the public key to never change.

like image 985
Nate Mann Avatar asked Nov 02 '25 15:11

Nate Mann

1 Answers

Azure AD signing keys are rotated on a periodic basis as well as on an immediate basis sometimes.

Please take a look at related Microsoft guidance : Signing key rollover in Azure Active Directory

For security purposes, Azure AD’s signing key rolls on a periodic basis and, in the case of an emergency, could be rolled over immediately. Any application that integrates with Azure AD should be prepared to handle a key rollover event no matter how frequently it may occur. If it doesn’t, and your application attempts to use an expired key to verify the signature on a token, the sign-in request will fail.

In your question you've mentioned "Am I able to turn the functionality off completely? I would like the public key to never change.".

You cannot control this behavior, as explained in the documentation above. Your application needs to be designed so that it can handle this key rotation.

You can always get to the latest signing keys using the OpenID Connect discovery document. Look for jwks_uri value.

You can use common endpoints to get to that information or tenant specific endpoints as well.

Azure AD V1 common endpoint - https://login.microsoftonline.com/common/.well-known/openid-configuration    
Azure AD V2 common endpoint - https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

Signing Keys can be found at a URL like 

Azure AD V1 - https://login.microsoftonline.com/common/discovery/keys     
Azure AD V2 - https://login.microsoftonline.com/common/discovery/v2.0/keys

Again you could use tenant specific endpoint as well, like 

https://login.microsoftonline.com/mytenant.onmicrosoft.com/discovery/keys
https://login.microsoftonline.com/mytenant.onmicrosoft.com/discovery/v2.0/keys

The kid value found for keys here will match with the identifier for key that that has been used for signing the token you receive. This you can check in the token header. Example:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "iBjL1Rcqzhiy4fpxIxdZqohM2Yk",
  "kid": "iBjL1Rcqzhiy4fpxIxdZqohM2Yk"
}

On a side note -

  1. In case you plan to cache some keys, your app will need to regularly check back for updates and in case of failure, go to endpoint above on demand basis to get the new keys. This Microsoft documentation on validating the signature mentions that

    A reasonable frequency to check for updates to the public keys used by Azure AD is every 24 hours.

  2. Many times validating tokens explicitly is not even required since Azure AD middleware has built-in capabilities for validating access tokens.

like image 179
Rohit Saigal Avatar answered Nov 04 '25 11:11

Rohit Saigal
Sign in to Comment

Related questions

How to create a bearer token for kubernetes
Drop temp table if it exists on SQL Azure
I'm having problems authenticating with Managed Service Identity to an Azure App Service secured with AAD
Is it possible to pass Azure SAS token in headers/cookies/post body?
add thousands of messages to an Azure Storage Queue
Azure Container Registry Webhook to App Service 401
How to fix 401 when deploying Maven build to Azure Artifacts via Azure Pipeline?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!