added KeyContainer for storing RSA keys#9
added KeyContainer for storing RSA keys#9nordbo wants to merge 1 commit intomrsheepuk:masterfrom nordbo:master
Conversation
|
Interesting! I have been trying something similar out in this branch but yours is a much more straightforward way of reaching the same result. I'll have a look and see if I can combine your approach with what I've done in that branch. |
|
Out of curiosity, how does this work if used on an elastic scalable web service on azure? Multiple machines should use the same private key to sign and validate tokens, right? |
|
Yes absolutely @bragma - which is why the strategy used in this pull request (or my branch) would work if used on a single machine, or used in a situation where the data protection API has been set up to share keys across multiple machines (see the documentation here for info on how this would need to be configured. I've not tried it though). |
|
@bragma I've just noticed that, specifically in the case of Azure, the default DPAPI configuration should handle this so this may well "just work" - see the docs for the default settings here - specifically:
|
|
The only problem with this @nordbo is that I suspect when the key rollover occurs (by default every 90 days), the verify signature will fail so, in effect, all logged in users will be logged out. I think you'd need to use the DPAPI to "unprotect" in a custom validator for checking the signature, but I've not worked out how that should be done yet. I may have misunderstood how the whole thing works though, any ideas? I'll try and run a few tests to see if my suspicion is correct on this one. |
3 participants
Hi. I've updated the code, using a KeyContainer to store the RSA keys. If the keyset does not exist, they are created, and if they exist they are obtained from the container. See https://msdn.microsoft.com/en-us/library/tswxhw92(v=vs.110).aspx for more information.