The Keys They Are a-Rollin’

Every service that makes use of cryptographic keys will occasionally “roll its keys”, that is to say retire the keys it used up to that moment and start using new ones. That’s done mostly for security reasons: rolling keys puts a limit to the time that bad guys have available for trying their luck against a system.

Azure AD is no exception: it rolls its keys every 6 weeks. MSDN offers a very comprehensive explanation of the process for Azure AD – together with a complete development guide for ensuring that your applications will not experience any downtime during a key roll.

All of our most recent libraries (all the OWIN middleware for OpenId Connect/WS-Federation/OAuth2, projects generated with VS2013, projects created with the Identity and Access Tools in VS2012…) manage key rolls automatically for you, given that they acquire the signing keys dynamically. If you wrote your own validation logic or if you are using very old libraries, however, you might end up in a situation in which your app expects tokens signed with the old key and will consider invalid tokens signed with the new, unknown key. Hopefully that’s not the case for your app! However, if in the last few hours you observed authentication failures in your Azure AD apps, this might be the reason: I recommend taking a look at this MSDN guide to handle the issue, and if at all possible switch to a library that eliminates the risk altogether