6uy2q (6uy2q) asked a question.
We have a dot.net 6 Web API Project. We validate the OKTA token by signing key, issuer, audience etc. Could you tell me How to handle the SigningKey rotation in code? We have cached the metadata retrieval for 1 day. What if we get a new signing key due to signing key rotation? Due to cache, the code will fail. Should we catch the error and refresh the cache as mentioned in the below code sample?
configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
config.WellKnownEndpoint,
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever());
configurationManager.RefreshInterval = new TimeSpan(0, 0, 1);
configurationManager.AutomaticRefreshInterval = new TimeSpan(1, 0, 0, 0);
}
var discoveryDocument = await configurationManager.GetConfigurationAsync();
var signingKeys = discoveryDocument.SigningKeys;
var validationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
RequireSignedTokens = true,
ValidIssuer = _config.Issuer,
ValidAudience = _config.Audience,
ClockSkew = TimeSpan.Zero,
IssuerSigningKeys = signingKeys,
};
var handler = new JwtSecurityTokenHandler();
SecurityToken rawValidatedToken = null;
ClaimsPrincipal principal = null;
try
{
principal = handler.ValidateToken(oktaAccessToken, validationParameters, out rawValidatedToken);
}
catch(SecurityTokenEncryptionKeyNotFoundException)
catch (SecurityTokenInvalidSignatureException)
{
configurationManager.RequestRefresh();
}
Hi @6uy2q (6uy2q),
Thank you for posting on the Okta community page!
I have done some research and I have managed to find a couple of articles that contain information about key rotation:
Additionally, my advice would be to leverage the Okta Developer forums for this type of questions and take advantage of their expertise.
On another note, the Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.