Azure Active Directory 中的签名密钥滚动更新Signing key rollover in Azure Active Directory

本文介绍了需要了解的有关 Azure Active Directory (Azure AD) 中用来为安全令牌签名的公钥的信息。This article discusses what you need to know about the public keys that are used in Azure Active Directory (Azure AD) to sign security tokens. 请务必注意,这些密钥会定期滚动更新,紧急情况下可立即滚动更新。It is important to note that these keys roll over on a periodic basis and, in an emergency, could be rolled over immediately. 所有使用 Azure AD 的应用程序应该都能以编程方式处理密钥滚动更新过程,或建立定期手动滚动更新过程。All applications that use Azure AD should be able to programmatically handle the key rollover process or establish a periodic manual rollover process. 继续阅读,了解密钥工作方式、如何评估应用程序的滚动更新的影响以及如何更新应用程序,或者在必要时建立定期手动滚动更新过程来处理密钥滚动更新。Continue reading to understand how the keys work, how to assess the impact of the rollover to your application and how to update your application or establish a periodic manual rollover process to handle key rollover if necessary.

Azure AD 中的签名密钥概述Overview of signing keys in Azure AD

Azure AD 使用基于行业标准构建的公钥加密,在它自己和使用它的应用程序之间建立信任关系。Azure AD uses public-key cryptography built on industry standards to establish trust between itself and the applications that use it. 实际上,它的工作原理如下所述:Azure AD 使用签名密钥,该密钥由公钥和私钥对组成。In practical terms, this works in the following way: Azure AD uses a signing key that consists of a public and private key pair. 当用户登录到使用 Azure AD 进行身份验证的应用程序时,Azure AD 会创建一个包含用户相关信息的安全令牌。When a user signs in to an application that uses Azure AD for authentication, Azure AD creates a security token that contains information about the user. 此令牌由 Azure AD 使用其私钥进行签名,并会发送回应用程序。This token is signed by Azure AD using its private key before it is sent back to the application. 若要验证该令牌是否有效且来自 Azure AD,应用程序必须使用由 Azure AD 公开,包含在租户的 OpenID Connect 发现文档或 SAML/WS-Fed 联合元数据文档中的公钥来验证令牌的签名。To verify that the token is valid and originated from Azure AD, the application must validate the token’s signature using the public key exposed by Azure AD that is contained in the tenant’s OpenID Connect discovery document or SAML/WS-Fed federation metadata document.

出于安全考虑,Azure AD 的签名密钥会定期更新,且紧急情况下,可立即滚动更新。For security purposes, Azure AD’s signing key rolls on a periodic basis and, in the case of an emergency, could be rolled over immediately. 任何与 Azure AD 集成的应用程序都应准备好处理密钥滚动更新事件,而不管滚动更新可能发生的频率是多少。Any application that integrates with Azure AD should be prepared to handle a key rollover event no matter how frequently it may occur. 如果未准备就绪,且应用程序尝试使用过期密钥验证令牌上的签名,则登录请求会失败。If it doesn’t, and your application attempts to use an expired key to verify the signature on a token, the sign-in request will fail.

OpenID Connect 发现文档和联合元数据文档中始终有多个有效密钥可用。There is always more than one valid key available in the OpenID Connect discovery document and the federation metadata document. 应用程序应准备使用该文档中指定的任何密钥,因为可能很快会对一个密钥进行滚动更新,而另一个密钥可能会取而代之,依此类推。Your application should be prepared to use any of the keys specified in the document, since one key may be rolled soon, another may be its replacement, and so forth.

如何评估应用程序是否会受到影响以及如何应对How to assess if your application will be affected and what to do about it

应用程序如何处理密钥滚动更新取决于各种变量,例如应用程序类型或所使用的标识协议和库。How your application handles key rollover depends on variables such as the type of application or what identity protocol and library was used. 以下部分评估了最常见类型的应用程序是否受密钥滚动更新的影响,并提供有关如何更新应用程序以支持自动滚动更新或手动更新密钥的指南。The sections below assess whether the most common types of applications are impacted by the key rollover and provide guidance on how to update the application to support automatic rollover or manually update the key.

访问资源的本机客户端应用程序Native client applications accessing resources

仅访问资源的应用程序(例如Applications that are only accessing resources (i.e Microsoft Graph、KeyVault、Outlook API 和其他 Microsoft API)通常只获取一个令牌并将其传递给资源所有者。Microsoft Graph, KeyVault, Outlook API, and other Microsoft APIs) generally only obtain a token and pass it along to the resource owner. 由于它们不保护任何资源且不检查令牌,因此不需要确保正确地为令牌签名。Given that they are not protecting any resources, they do not inspect the token and therefore do not need to ensure it is properly signed.

本机客户端应用程序(不管是桌面还是移动应用程序)都属于此类别,因此不受滚动更新的影响。Native client applications, whether desktop or mobile, fall into this category and are thus not impacted by the rollover.

访问资源的 Web 应用程序/APIWeb applications / APIs accessing resources

仅访问资源的应用程序(例如Applications that are only accessing resources (i.e Microsoft Graph、KeyVault、Outlook API 和其他 Microsoft API)通常只获取一个令牌并将其传递给资源所有者。Microsoft Graph, KeyVault, Outlook API, and other Microsoft APIs) generally only obtain a token and pass it along to the resource owner. 由于它们不保护任何资源且不检查令牌,因此不需要确保正确地为令牌签名。Given that they are not protecting any resources, they do not inspect the token and therefore do not need to ensure it is properly signed.

使用仅限应用流(客户端凭据/客户端证书)的 Web 应用程序和 Web API 属于此类别,因此不受滚动更新的影响。Web applications and web APIs that are using the app-only flow (client credentials / client certificate), fall into this category and are thus not impacted by the rollover.

保护资源的和使用 Azure 应用服务构建的 Web 应用程序/APIWeb applications / APIs protecting resources and built using Azure App Services

Azure App Services 的身份验证/授权 (EasyAuth) 功能已包含自动处理密钥滚动更新所需要的逻辑。Azure App Services' Authentication / Authorization (EasyAuth) functionality already has the necessary logic to handle key rollover automatically.

使用 .NET OWIN OpenID Connect、WS-Fed 或 WindowsAzureActiveDirectoryBearerAuthentication 中间件保护资源的 Web 应用程序/APIWeb applications / APIs protecting resources using .NET OWIN OpenID Connect, WS-Fed or WindowsAzureActiveDirectoryBearerAuthentication middleware

如果应用程序使用 .NET OWIN OpenID Connect、WS-Fed 或 WindowsAzureActiveDirectoryBearerAuthentication 中间件,则它已包含必要的逻辑来自动处理密钥滚动更新。If your application is using the .NET OWIN OpenID Connect, WS-Fed or WindowsAzureActiveDirectoryBearerAuthentication middleware, it already has the necessary logic to handle key rollover automatically.

可以通过查看应用程序的 Startup.cs 或 Startup.Auth.cs 中的以下代码片段,来确认应用程序是否正在使用上述任何中间件You can confirm that your application is using any of these by looking for any of the following snippets in your application's Startup.cs or Startup.Auth.cs

app.UseOpenIdConnectAuthentication(
     new OpenIdConnectAuthenticationOptions
     {
         // ...
     });
app.UseWsFederationAuthentication(
    new WsFederationAuthenticationOptions
    {
     // ...
     });
 app.UseWindowsAzureActiveDirectoryBearerAuthentication(
     new WindowsAzureActiveDirectoryBearerAuthenticationOptions
     {
     // ...
     });

使用 .NET Core OpenID Connect 或 JwtBearerAuthentication 中间件保护资源的 Web 应用程序/APIWeb applications / APIs protecting resources using .NET Core OpenID Connect or JwtBearerAuthentication middleware

如果应用程序使用 .NET Core OWIN OpenID Connect 或 JwtBearerAuthentication 中间件,则它已包含自动处理密钥滚动更新所需要的逻辑。If your application is using the .NET Core OWIN OpenID Connect or JwtBearerAuthentication middleware, it already has the necessary logic to handle key rollover automatically.

可以通过查看应用程序的 Startup.cs 或 Startup.Auth.cs 中的以下代码片段,来确认应用程序是否正在使用上述任何中间件You can confirm that your application is using any of these by looking for any of the following snippets in your application's Startup.cs or Startup.Auth.cs

app.UseOpenIdConnectAuthentication(
     new OpenIdConnectAuthenticationOptions
     {
         // ...
     });
app.UseJwtBearerAuthentication(
    new JwtBearerAuthenticationOptions
    {
     // ...
     });

使用 Node.js passport-azure-ad 模块保护资源的 Web 应用程序/APIWeb applications / APIs protecting resources using Node.js passport-azure-ad module

如果应用程序使用 Node.js passport-ad 模块,则它已包含必要的逻辑来自动处理密钥滚动更新。If your application is using the Node.js passport-ad module, it already has the necessary logic to handle key rollover automatically.

可以通过搜索应用程序的 app.js 中的以下代码片段,来确认应用程序是否正在使用 passport-adYou can confirm that your application passport-ad by searching for the following snippet in your application's app.js

var OIDCStrategy = require('passport-azure-ad').OIDCStrategy;

passport.use(new OIDCStrategy({
    //...
));

保护资源的和使用 Visual Studio 2015 或更高版本创建的 Web 应用程序/APIWeb applications / APIs protecting resources and created with Visual Studio 2015 or later

如果应用程序通过 Visual Studio 2015 或更高版本中的 Web 应用程序模板构建,且从“更改身份验证” 菜单中选择了“工作或学校帐户” ,则应用程序已包含自动处理密钥滚动更新所需要的逻辑。If your application was built using a web application template in Visual Studio 2015 or later and you selected Work Or School Accounts from the Change Authentication menu, it already has the necessary logic to handle key rollover automatically. 此逻辑嵌入在 OWIN OpenID Connect 中间件中,可检索和缓存 OpenID Connect 发现文档中的密钥并定期刷新它们。This logic, embedded in the OWIN OpenID Connect middleware, retrieves and caches the keys from the OpenID Connect discovery document and periodically refreshes them.

如果已手动将身份验证添加到解决方案,则应用程序可能不包含必要的密钥滚动更新逻辑。If you added authentication to your solution manually, your application might not have the necessary key rollover logic. 需要自行编写该逻辑,或遵循使用任何其他库或手动实现任何受支持协议的 Web 应用程序/API 中的步骤。You will need to write it yourself, or follow the steps in Web applications / APIs using any other libraries or manually implementing any of the supported protocols.

保护资源的和使用 Visual Studio 2013 创建的 Web 应用程序Web applications protecting resources and created with Visual Studio 2013

如果应用程序通过 Visual Studio 2013 中的 Web 应用程序模板生成,并且在“更改身份验证”菜单中选择了“组织帐户”,则应用程序已包含自动处理密钥滚动更新所需的逻辑 。If your application was built using a web application template in Visual Studio 2013 and you selected Organizational Accounts from the Change Authentication menu, it already has the necessary logic to handle key rollover automatically. 此逻辑将组织的唯一标识符和签名密钥信息存储到与项目关联的两个数据库表中。This logic stores your organization’s unique identifier and the signing key information in two database tables associated with the project. 可以在项目的 Web.config 文件中找到数据库的连接字符串。You can find the connection string for the database in the project’s Web.config file.

如果已手动将身份验证添加到解决方案,则应用程序可能不包含必要的密钥滚动更新逻辑。If you added authentication to your solution manually, your application might not have the necessary key rollover logic. 需要自行编写该逻辑,或遵循使用任何其他库或手动实现任何受支持协议的 Web 应用程序/API 中的步骤。You will need to write it yourself, or follow the steps in Web applications / APIs using any other libraries or manually implementing any of the supported protocols..

以下步骤帮助你验证该逻辑是否在应用程序中正常工作。The following steps will help you verify that the logic is working properly in your application.

  1. 在 Visual Studio 2013 中,打开解决方案,然后单击右侧窗口上的“服务器资源管理器”选项卡 。In Visual Studio 2013, open the solution, and then click on the Server Explorer tab on the right window.
  2. 依次展开“数据连接”、“DefaultConnection”和“表” 。Expand Data Connections, DefaultConnection, and then Tables. 找到“IssuingAuthorityKeys”表,右键单击它,然后单击“显示表数据” 。Locate the IssuingAuthorityKeys table, right-click it, and then click Show Table Data.
  3. IssuingAuthorityKeys 表中至少有一行与密钥的指纹值相对应。In the IssuingAuthorityKeys table, there will be at least one row, which corresponds to the thumbprint value for the key. 删除该表中的所有行。Delete any rows in the table.
  4. 右键单击“Tenants”表,然后单击“显示表数据” 。Right-click the Tenants table, and then click Show Table Data.
  5. Tenants 表中,至少有一行与唯一的目录租户标识符相对应。In the Tenants table, there will be at least one row, which corresponds to a unique directory tenant identifier. 删除该表中的所有行。Delete any rows in the table. 如果未同时删除“Tenants”和“IssuingAuthorityKeys”表中的行,则运行时会出现错误 。If you don't delete the rows in both the Tenants table and IssuingAuthorityKeys table, you will get an error at runtime.
  6. 生成并运行应用程序。Build and run the application. 登录到帐户后,可以停止应用程序。After you have logged in to your account, you can stop the application.
  7. 返回“服务器资源管理器”,查看“IssuingAuthorityKeys”和“Tenants”表中的值 。Return to the Server Explorer and look at the values in the IssuingAuthorityKeys and Tenants table. 可以看到系统已自动使用联合元数据文档中的相应信息对这两个表进行重新填充。You’ll notice that they have been automatically repopulated with the appropriate information from the federation metadata document.

保护资源的和使用 Visual Studio 2013 创建的 Web APIWeb APIs protecting resources and created with Visual Studio 2013

如果在 Visual Studio 2013 中使用 Web API 模板创建了 Web API 应用程序,然后在“更改身份验证”菜单中选择了“组织帐户”,则应用程序中已包含必需的逻辑 。If you created a web API application in Visual Studio 2013 using the Web API template, and then selected Organizational Accounts from the Change Authentication menu, you already have the necessary logic in your application.

如果是手动配置的身份验证,请参阅下面的说明,了解如何将 Web API 配置为自动更新其密钥信息。If you manually configured authentication, follow the instructions below to learn how to configure your Web API to automatically update its key information.

以下代码片段演示如何从联合元数据文档获取最新密钥,并使用 JWT 令牌处理程序来验证令牌。The following code snippet demonstrates how to get the latest keys from the federation metadata document, and then use the JWT Token Handler to validate the token. 该代码片段假设你使用自己的缓存机制来持久保存密钥(以便验证将来从 Azure AD 获取的令牌),无论是将它保存在数据库中、配置文件中,还是保存在其他位置。The code snippet assumes that you will use your own caching mechanism for persisting the key to validate future tokens from Azure AD, whether it be in a database, configuration file, or elsewhere.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.IdentityModel.Tokens;
using System.Configuration;
using System.Security.Cryptography.X509Certificates;
using System.Xml;
using System.IdentityModel.Metadata;
using System.ServiceModel.Security;
using System.Threading;

namespace JWTValidation
{
    public class JWTValidator
    {
        private string MetadataAddress = "[Your Federation Metadata document address goes here]";

        // Validates the JWT Token that's part of the Authorization header in an HTTP request.
        public void ValidateJwtToken(string token)
        {
            JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler()
            {
                // Do not disable for production code
                CertificateValidator = X509CertificateValidator.None
            };

            TokenValidationParameters validationParams = new TokenValidationParameters()
            {
                AllowedAudience = "[Your App ID URI goes here, as registered in the Azure Portal]",
                ValidIssuer = "[The issuer for the token goes here, such as https://sts.chinacloudapi.cn/68b98905-130e-4d7c-b6e1-a158a9ed8449/]",
                SigningTokens = GetSigningCertificates(MetadataAddress)

                // Cache the signing tokens by your desired mechanism
            };

            Thread.CurrentPrincipal = tokenHandler.ValidateToken(token, validationParams);
        }

        // Returns a list of certificates from the specified metadata document.
        public List<X509SecurityToken> GetSigningCertificates(string metadataAddress)
        {
            List<X509SecurityToken> tokens = new List<X509SecurityToken>();

            if (metadataAddress == null)
            {
                throw new ArgumentNullException(metadataAddress);
            }

            using (XmlReader metadataReader = XmlReader.Create(metadataAddress))
            {
                MetadataSerializer serializer = new MetadataSerializer()
                {
                    // Do not disable for production code
                    CertificateValidationMode = X509CertificateValidationMode.None
                };

                EntityDescriptor metadata = serializer.ReadMetadata(metadataReader) as EntityDescriptor;

                if (metadata != null)
                {
                    SecurityTokenServiceDescriptor stsd = metadata.RoleDescriptors.OfType<SecurityTokenServiceDescriptor>().First();

                    if (stsd != null)
                    {
                        IEnumerable<X509RawDataKeyIdentifierClause> x509DataClauses = stsd.Keys.Where(key => key.KeyInfo != null && (key.Use == KeyType.Signing || key.Use == KeyType.Unspecified)).
                                                             Select(key => key.KeyInfo.OfType<X509RawDataKeyIdentifierClause>().First());

                        tokens.AddRange(x509DataClauses.Select(token => new X509SecurityToken(new X509Certificate2(token.GetX509RawData()))));
                    }
                    else
                    {
                        throw new InvalidOperationException("There is no RoleDescriptor of type SecurityTokenServiceType in the metadata");
                    }
                }
                else
                {
                    throw new Exception("Invalid Federation Metadata document");
                }
            }
            return tokens;
        }
    }
}

保护资源的和使用 Visual Studio 2012 创建的 Web 应用程序Web applications protecting resources and created with Visual Studio 2012

如果应用程序是在 Visual Studio 2012 中生成的,则你可能已使用标识和访问工具配置了应用程序。If your application was built in Visual Studio 2012, you probably used the Identity and Access Tool to configure your application. 还可能会用到验证颁发者名称注册表 (VINR)It’s also likely that you are using the Validating Issuer Name Registry (VINR). VINR 负责维护受信任标识提供程序 (Azure AD) 的相关信息以及用于验证其颁发的令牌的密钥。The VINR is responsible for maintaining information about trusted identity providers (Azure AD) and the keys used to validate tokens issued by them. 使用 VINR 还可轻松地自动更新存储在 Web.config 文件中的密钥信息,具体方法是:下载与用户的目录关联的最新联合元数据文档,使用最新文档检查配置是否过期,并根据需要更新应用程序以使用新密钥。The VINR also makes it easy to automatically update the key information stored in a Web.config file by downloading the latest federation metadata document associated with your directory, checking if the configuration is out of date with the latest document, and updating the application to use the new key as necessary.

如果是使用 Microsoft 提供的代码示例或演练文档创建的应用程序,则密钥滚动更新逻辑已包含在项目中。If you created your application using any of the code samples or walkthrough documentation provided by Microsoft, the key rollover logic is already included in your project. 你会注意到下面的代码已存在于项目中。You will notice that the code below already exists in your project. 如果应用程序尚未包含该逻辑,请按照下面的步骤添加该逻辑,并验证该逻辑是否正常工作。If your application does not already have this logic, follow the steps below to add it and to verify that it’s working correctly.

  1. 在“解决方案资源管理器”中,添加对相应项目的 System.IdentityModel 程序集的引用 。In Solution Explorer, add a reference to the System.IdentityModel assembly for the appropriate project.
  2. 打开 Global.asax.cs 文件并添加以下 using 指令:Open the Global.asax.cs file and add the following using directives:
    using System.Configuration;
    using System.IdentityModel.Tokens;
    
  3. Global.asax.cs 文件中添加以下方法:Add the following method to the Global.asax.cs file:
    protected void RefreshValidationSettings()
    {
     string configPath = AppDomain.CurrentDomain.BaseDirectory + "\\" + "Web.config";
     string metadataAddress =
                   ConfigurationManager.AppSettings["ida:FederationMetadataLocation"];
     ValidatingIssuerNameRegistry.WriteToConfig(metadataAddress, configPath);
    }
    
  4. Global.asax.cs 中的 Application_Start() 方法内调用 RefreshValidationSettings() 方法,如下所示:Invoke the RefreshValidationSettings() method in the Application_Start() method in Global.asax.cs as shown:
    protected void Application_Start()
    {
     AreaRegistration.RegisterAllAreas();
     ...
     RefreshValidationSettings();
    }
    

执行这些步骤后,系统使用联合元数据文档中的最新信息(包括最新密钥)更新应用程序的 Web.config。Once you have followed these steps, your application’s Web.config will be updated with the latest information from the federation metadata document, including the latest keys. 每次在 IIS 中回收应用程序池时,都会进行此更新;默认情况下,IIS 设置为每 29 个小时回收一次应用程序。This update will occur every time your application pool recycles in IIS; by default IIS is set to recycle applications every 29 hours.

遵循以下步骤验证密钥滚动更新逻辑是否正常工作。Follow the steps below to verify that the key rollover logic is working.

  1. 确认应用程序正在使用上面的代码后,打开 Web.config 文件并导航到 <issuerNameRegistry> 块,注意查找以下几行: After you have verified that your application is using the code above, open the Web.config file and navigate to the <issuerNameRegistry> block, specifically looking for the following few lines:
    <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
         <authority name="https://sts.chinacloudapi.cn/ec4187af-07da-4f01-b18f-64c2f5abecea/">
           <keys>
             <add thumbprint="3A38FA984E8560F19AADC9F86FE9594BB6AD049B" />
           </keys>
    
  2. 在 <add thumbprint=""> 设置中,将任一字符替换为不同的字符,以更改指纹值 。In the <add thumbprint=""> setting, change the thumbprint value by replacing any character with a different one. 保存 Web.config 文件。Save the Web.config file.
  3. 生成并运行应用程序。Build the application, and then run it. 如果你能完成登录过程,则应用程序会通过从你的目录的联合元数据文档下载所需的信息来成功地更新密钥。If you can complete the sign-in process, your application is successfully updating the key by downloading the required information from your directory’s federation metadata document. 如果在登录时遇到问题,请阅读使用 Azure AD 将登录名添加到 Web 应用程序一文,或下载并检查以下代码示例:用于 Azure Active Directory 的多租户云应用程序If you are having issues signing in, ensure the changes in your application are correct by reading the Adding Sign-On to Your Web Application Using Azure AD article, or downloading and inspecting the following code sample: Multi-Tenant Cloud Application for Azure Active Directory.

保护资源并且使用 Visual Studio 2008 或 2010 和 Windows Identity Foundation (WIF) v1.0 for .NET 3.5 创建的 Web 应用程序Web applications protecting resources and created with Visual Studio 2008 or 2010 and Windows Identity Foundation (WIF) v1.0 for .NET 3.5

如果在 WIF v1.0 中构建应用程序,则系统未提供相应的机制来自动刷新应用程序的配置以使用新密钥。If you built an application on WIF v1.0, there is no provided mechanism to automatically refresh your application’s configuration to use a new key.

  • 最简单的方法 使用 WIF SDK 中包含的 FedUtil 工具,该工具可以检索最新的元数据文档并更新配置。Easiest way Use the FedUtil tooling included in the WIF SDK, which can retrieve the latest metadata document and update your configuration.
  • 将应用程序更新到 .NET 4.5,该版本包括位于系统命名空间中的 WIF 的最新版本。Update your application to .NET 4.5, which includes the newest version of WIF located in the System namespace. 然后,可使用验证颁发者名称注册表 (VINR) 来执行应用程序配置的自动更新。You can then use the Validating Issuer Name Registry (VINR) to perform automatic updates of the application’s configuration.
  • 按照本指南文档末尾的说明执行手动滚动更新。Perform a manual rollover as per the instructions at the end of this guidance document.

使用 FedUtil 更新配置的说明:Instructions to use the FedUtil to update your configuration:

  1. 请确认已在开发计算机上为 Visual Studio 2008 或 2010 安装了 WIF v1.0 SDK。Verify that you have the WIF v1.0 SDK installed on your development machine for Visual Studio 2008 or 2010. 如果尚未安装,可以 从此处下载You can download it from here if you have not yet installed it.
  2. 在 Visual Studio 中打开解决方案,然后右键单击相应的项目并选择“更新联合元数据” 。In Visual Studio, open the solution, and then right-click the applicable project and select Update federation metadata. 如果此选项不可用,则表示 FedUtil 和/或 WIF v1.0 SDK 尚未安装。If this option is not available, FedUtil and/or the WIF v1.0 SDK has not been installed.
  3. 系统提示时,请选择“更新”以开始更新联合元数据 。From the prompt, select Update to begin updating your federation metadata. 如果有权访问托管应用程序的服务器环境,则可以选择使用 FedUtil 的自动元数据更新计划程序If you have access to the server environment where the application is hosted, you can optionally use FedUtil’s automatic metadata update scheduler.
  4. 单击“完成”以完成更新过程 。Click Finish to complete the update process.

使用任何其他库保护资源或手动实现任何受支持协议的 Web 应用程序/APIWeb applications / APIs protecting resources using any other libraries or manually implementing any of the supported protocols

如果正在使用其他某个库或手动实现任何受支持的协议,则需要检查该库或实现,以确保正在从 OpenID Connect 发现文档或联合元数据文档检索密钥。If you are using some other library or manually implemented any of the supported protocols, you'll need to review the library or your implementation to ensure that the key is being retrieved from either the OpenID Connect discovery document or the federation metadata document. 进行此项检查的方法之一是在代码或库的代码中执行搜索,以找到对 OpenID 发现文档或联合元数据文档的任何调用。One way to check for this is to do a search in your code or the library's code for any calls out to either the OpenID discovery document or the federation metadata document.

如果密钥存储在某处或在应用程序中进行了硬编码,则可按照本指南文档末尾的说明执行手动滚动更新,手动检索密钥并进行相应更新。If they key is being stored somewhere or hardcoded in your application, you can manually retrieve the key and update it accordingly by performing a manual rollover as per the instructions at the end of this guidance document. 强烈建议使用本文中所述的任何方法增强应用程序以支持自动滚动更新,从而避免将来在 Azure AD 增大其滚动更新频率或发生紧急带外滚动更新时出现中断和开销。It is strongly encouraged that you enhance your application to support automatic rollover using any of the approaches outline in this article to avoid future disruptions and overhead if Azure AD increases its rollover cadence or has an emergency out-of-band rollover.

如何测试应用程序以确定它是否会受影响How to test your application to determine if it will be affected

可以下载脚本并遵循 此 GitHub 存储库You can validate whether your application supports automatic key rollover by downloading the scripts and following the instructions in this GitHub repository.

如果应用程序不支持自动滚动更新,如何执行手动滚动更新How to perform a manual rollover if your application does not support automatic rollover

如果应用程序支持自动滚动更新,则需要建立一个定期监视 Azure AD 签名密钥的过程,并手动执行相应滚动更新。If your application does not support automatic rollover, you will need to establish a process that periodically monitors Azure AD's signing keys and performs a manual rollover accordingly. 此 GitHub 存储库包含脚本和如何执行此操作的说明。This GitHub repository contains scripts and instructions on how to do this.