Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Proactive AKV certificate refresh strategy #3187

Open
lizMSFT opened this issue Jan 8, 2025 · 0 comments
Open

[Feature Request] Proactive AKV certificate refresh strategy #3187

lizMSFT opened this issue Jan 8, 2025 · 0 comments
Labels
enhancement New feature or request feature request needs attention untriaged

Comments

@lizMSFT
Copy link

lizMSFT commented Jan 8, 2025

Is your feature request related to a problem? Please describe.
Our service currently uses Microsoft.Identity.ServiceEssentials (MISE) to handle AuthN and AuthZ. The MISE AzureAuthorizationModule acquires the first-party app token, which is then sent to the Remote PDP for authorization checks. We use certificates as the credentials for our first-party app.

At present, our service uses a custom certificate store to manage certificates. However, we are considering switching to Azure Key Vault (AKV) when initializing the MISE instance. The primary reason we haven't adopted AKV yet is that it doesn't align with our existing behavior. Specifically, we prefer to reload the certificate before it expires, more precisely, once the new certificate is available.

This leads us to several concerns regarding AKV, particularly in terms of how it handles Emergency Certificate Rotation (ECR). From my understanding, when using AKV, Microsoft.Identity.Web will automatically attempt to reload the certificate once it expires. If this is the case, wouldn't it result in a large number of requests to fetch the new certificate version when the current one expires? This could potentially lead to service unavailability.

We are seeking clarification on how Microsoft.Identity.Web and AKV handle ECR.

Describe the solution you'd like
We would like Microsoft.Identity.Web to support a more efficient and reliable mechanism for handling ECR when using AKV. Specifically, we need a solution that can proactively reload the certificate before it expires, or as soon as the new certificate is available, to avoid a surge of requests and potential service unavailability.

Describe alternatives you've considered

  • Custom Certificate Store: We have been using a custom certificate store to manage certificates, but this approach is not sustainable in the long run and may increase security risks.
  • Manual Certificate Reload: Manually reloading the certificate by restarting the service, but this is not an ideal solution as it requires manual intervention and may lead to downtime.
  • Azure Key Vault: Switching to AKV for certificate management, but we have concerns about how AKV handles ECR and the potential for a large number of requests when a certificate expires.

Additional context
We raised this request several months ago and were told that Microsoft.Identity.Web has a design for proactive certificate refresh. We would like to follow up on the status of this support.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request feature request needs attention untriaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lizMSFT