[Bug] Specifying multiple decryption certificates

[husseinkorly]

Which version of Microsoft Identity Web are you using?
1.12.0

Where is the issue?

• Web app
  • Sign-in users
  • Sign-in users and call web APIs
• Web API
  • [ x] Protected web APIs (validating tokens)
  • Protected web APIs (validating scopes)
  • Protected web APIs call downstream web APIs
• Token cache serialization
  • [ x] In-memory caches
  • Session caches
  • Distributed caches
• Other (please describe)

Is this a new or an existing app?
The app is in production and I have upgraded to a new version of Microsoft Identity Web.

Repro
Configuring multiple certificates for decryption and only one of them is valid and it can be used.

"TokenDecryptionCertificates": [
      {
        "SourceType": "StoreWithThumbprint",
        "CertificateStorePath": "LocalMachine/My",
        "CertificateThumbprint": "962D129A...D18EFEB6961684"
      },
      {
        "SourceType": "StoreWithThumbprint",
        "CertificateStorePath": "LocalMachine/My",
        "CertificateThumbprint": "962D129A...D18EFEB6960000"
      }
    ]

Expected behavior
A valid certificate (from list of certificates) will be used to decrypt incoming tokens

Actual behavior
Fails to decrypt a token if any of the provided certificate is invalid

Possible solution
Try to decrypt the token with any valid certificate provided.

Additional context / logs / screenshots
n/a

[jmprieur]

@husseinkorly are you saying this is a regression?

[jmprieur]

I think I understand what happens.
Now, when the certificate has expired we set it to null in the CertificateDescription (this was done when implementing the certificate rotation). But Microsoft.IdentityModel does not accept a null certificate.

We should only do the yield:

microsoft-identity-web/src/Microsoft.Identity.Web/CertificateManagement/DefaultCertificateLoader.cs

Line 307 in 37471e7

yield return certDescription.Certificate;

when certDescription.Certificate is not null

[husseinkorly]

@jmprieur I never tested this functionality before until we're getting close to renewing the decryption cert for one of our services. I was hopping to add the new cert as another decryption cert and switch it in the portal (first-party).

[jmprieur]

@jennyf19 is working on a fix.
Meanwhile, I think that version 1.9.2 should work fine in your case.

[husseinkorly]

Thank you. I tried using version 1.9.2 but the API still failing to decrypt the token.

[jmprieur]

Can you tell us more about the exception? https://github.com/AzureAD/microsoft-identity-web/wiki/Logging

[husseinkorly]

I pulled the new changes in master and I still see the same issue. I am using 2 decryption certificates. One of them is a valid certificate (used to encrypt) and another one that still valid but not used to encrypt the token. I see the API still returning 401 and I don't see any exceptions being logged. I think it's related to this issue with identityModel package that doesn't accept a list of decryption keys.

[jennyf19]

@husseinkorly they both have to be decryption certs, not encryption certs. See this page -> "usage": "Encrypt"

if you're using a client credential certificate, like instead of a secret, a cert, it can go in the configuration.

[husseinkorly]

Yes. I am only interested in the decryption cert I have both in the configuration like this for example:

"TokenDecryptionCertificates": [
      {
        "SourceType": "StoreWithThumbprint",
        "CertificateStorePath": "LocalMachine/My",
        "CertificateThumbprint": "962D129A...D18EFEB6961684"
      },
      {
        "SourceType": "StoreWithThumbprint",
        "CertificateStorePath": "LocalMachine/My",
        "CertificateThumbprint": "962D129A...D18EFEB6960000"
      }
    ]

One of them is a valid decryption cert (where I have the .pfx installed in my local machine) and it can decrypt the token just fine, but when I add another cert (I also have the .pfx installed locally) to the list that's just any other cert the API start returning 401.

[jennyf19]

@husseinkorly do both certs work independently? like one at a time, do they both work?

[husseinkorly]

Only one cert can be configured in AAD, but I was assuming if we can have 2 certs and it will use the valid one. This can be useful to rotate the decryption certs without any downtime. We can add the new cert to the configuration, replace it in AAD, and remove the the old one from configuration.

[jmprieur]

@husseinkorly : provided they are both decrypt certificates, this should work.
@brentschmaltz @GeoK @mafurman : we are using TokenValidationParameters.TokenDecryptionKeys. Shouldn't it work?

microsoft-identity-web/src/Microsoft.Identity.Web/WebApiExtensions/MicrosoftIdentityWebApiAuthenticationBuilderExtensions.cs

Line 222 in 6b506eb

options.TokenValidationParameters.TokenDecryptionKeys = keys;

[GeoK]

@jmprieur - Yes, this should work in IdentityModel >=6.8.0.
The library will try to decrypt a token using all decryption keys set on TokenValidationParameters.

[jennyf19]

Fixed in 1.13 release.

but seems to be an issue still with other components. @jmprieur

[jennyf19]

Included in 1.14 release

[husseinkorly]

@jennyf19 @jmprieur
I am not sure how this was validated, but I just got a chance to test it because we have a decryption cert expiring in few weeks. I configured the function with a second decryption cert, and it looks like the library only try the first certificate to decrypt the cert! it is not using the second cert if the first one fails.

We have other services where we pass multiple certificates, and identity model will try to all the available keys to decrypt the cert

I am using version 1.14.0