OIDC Azure Signing Key Rollover Guidance

%3CLINGO-SUB%20id%3D%22lingo-sub-1007234%22%20slang%3D%22en-US%22%3EOIDC%20Azure%20Signing%20Key%20Rollover%20Guidance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1007234%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20having%20some%20issues%20with%20manually%20obtaining%20the%20correct%20certificate%20thumprints%20after%20Signing%20Key's%20are%20rolled%20over.%20Where%20using%20Open%20ID%20Connect%20to%20authenticate%20users%20via%20Azure%20AD%20and%20then%20forwarding%20their%20authorised%20details%20onto%20an%20AWS%20Cognito%20Identity%20Pool%20which%20requires%20all%20the%20correct%20thumprints%20to%20be%20configured%20in%20order%20to%20verify%20the%20token%20that%20has%20been%20provided.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20follow%20the%20steps%20provided%20by%20aws%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.aws.amazon.com%2FIAM%2Flatest%2FUserGuide%2Fid_roles_providers_create_oidc_verify-thumbprint.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.aws.amazon.com%2FIAM%2Flatest%2FUserGuide%2Fid_roles_providers_create_oidc_verify-thumbprint.html%3C%2FA%3E%3C%2FP%3E%3CP%3Eto%20obtain%20a%20thumprint%20however%20this%20only%20ever%20results%20in%20one%2C%20whereas%20clearly%20there%20should%20be%20two%20or%20more%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20is%20the%20correct%20way%20to%20obtain%20the%20right%20thumprints.%20The%20guidance%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fazure%2Fdn641920(v%3Dazure.100)%3Fredirectedfrom%3DMSDN%23manually-retrieve-the-latest-key-and-update-your-application%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fazure%2Fdn641920(v%3Dazure.100)%3Fredirectedfrom%3DMSDN%23manually-retrieve-the-latest-key-and-update-your-application%3C%2FA%3E%26nbsp%3Bis%20outdated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1007234%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Visitor

We're having some issues with manually obtaining the correct certificate thumprints after Signing Key's are rolled over. Where using Open ID Connect to authenticate users via Azure AD and then forwarding their authorised details onto an AWS Cognito Identity Pool which requires all the correct thumprints to be configured in order to verify the token that has been provided.

 

We have follow the steps provided by aws https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.ht...

to obtain a thumprint however this only ever results in one, whereas clearly there should be two or more

What is the correct way to obtain the right thumprints. The guidance here https://docs.microsoft.com/en-us/previous-versions/azure/dn641920(v=azure.100)?redirectedfrom=MSDN#m... is outdated.

0 Replies