You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/policy-keys-overview.md
+10-3Lines changed: 10 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -50,8 +50,8 @@ The top-level resource for policy keys in Azure AD B2C is the **Keyset** contain
50
50
| Attribute | Required | Remarks |
51
51
| --- | --- |--- |
52
52
|`use`| Yes | Usage: Identifies the intended use of the public key. Encrypting data `enc`, or verifying the signature on data `sig`.|
53
-
|`nbf`| No | Activation date and time. |
54
-
|`exp`| No | Expiration date and time. |
53
+
|`nbf`| No | Activation date and time. An override value can be set manually by admins.|
54
+
|`exp`| No | Expiration date and time. An override value can be set manually by admins.|
55
55
56
56
We recommend setting the key activation and expiration values according to your PKI standards. You might need to rotate these certificates periodically for security or policy reasons. For example, you might have a policy to rotate all your certificates every year.
57
57
@@ -72,10 +72,17 @@ If an Azure AD B2C keyset has multiple keys, only one of the keys is active at a
72
72
- The key activation is based on the **activation date**.
73
73
- The keys are sorted by activation date in ascending order. Keys with activation dates further into the future appear lower in the list. Keys without an activation date are located at the bottom of the list.
74
74
- When the current date and time is greater than a key's activation date, Azure AD B2C will activate the key and stop using the prior active key.
75
-
- When the current key's expiration time has elapsed and the key container contains a new key with valid *not before* and *expiration* times, the new key will become active automatically.
75
+
- When the current key's expiration time has elapsed and the key container contains a new key with valid *not before* and *expiration* times, the new key will become active automatically. New tokens will be signed with the newly active key. The expired key will continue to be published for token validation until disabled by an admin.
76
+
76
77
- When the current key's expiration time has elapsed and the key container *does not* contain a new key with valid *not before* and *expiration* times, Azure AD B2C won't be able to use the expired key. Azure AD B2C will raise an error message within a dependant component of your custom policy. To avoid this issue, you can create a default key without activation and expiration dates as a safety net.
77
78
- The key's endpoint (JWKS URI) of the OpenId Connect well-known configuration endpoint reflects the keys configured in the Key Container, when the Key is referenced in the [JwtIssuer Technical Profile](./jwt-issuer-technical-profile.md). An application using an OIDC library will automatically fetch this metadata to ensure it uses the correct keys to validate tokens. For more information, learn how to use [Microsoft Authentication Library](../active-directory/develop/msal-b2c-overview.md), which always fetches the latest token signing keys automatically.
78
79
80
+
## Key caching
81
+
82
+
When a key is uploaded, the activation flag on the key is set to false by default. The new key will then be updated on all nodes. Only when the new key has been updated on all cache nodes will the activation flag set to true.
83
+
84
+
The activation flag property is modifiable within the Azure Portal UX allowing admins to disable a key and take it out of rotation. An active key can be an expired key.
85
+
79
86
## Policy key management
80
87
81
88
To get the current active key within a key container, use the Microsoft Graph API [getActiveKey](/graph/api/trustframeworkkeyset-getactivekey) endpoint.
0 commit comments