Microsoft-identity-web: TokenDecryptionCertificates info

Created on 18 Oct 2020  路  5Comments  路  Source: AzureAD/microsoft-identity-web

Documentation related to component

I was exploring the Micosoft.Identity.Web code.

How is the TokenDecryptionCertificates used in the Micosoft.Identity.Web lib and what does it change in my tokens, flows?

Maybe a note or an example might be useful in the docs

Greetings Damien

P1 documentation fixed

All 5 comments

@damienbod
I need to write a full page, but the principle is:

  • in the Web API registration you add a Decrypt certificate, (you share the public key with Azure AD), and only you app has the private. This is in the web API registration as of course access tokens are for the web API which decides of its format.
  • still in the app registration you direct Azure AD to encrypt the tokens with that decrypt certificate
  • when the client receives the access token it's encrypted (so it cannot crack open it)
  • when the web API receives the access token from the client, it uses the decrypt certificate, and the rest is the same as usual

@damienbod Here is the documentation with how to set this up and more information -> https://github.com/AzureAD/microsoft-identity-web/wiki/Token-Decryption

there are code snippets on the page.
going to close this issue, but feel free to reopen or tag me w/questions.

@jennyf19 Docs are really good, thanks

I also made a blog about this.

https://damienbod.com/2020/10/22/using-encrypted-access-tokens-in-azure-with-microsoft-identity-web-and-azure-app-registrations/

One small improvement suggestion to the docs:

Generate the certificate

I would add Generate Certificate in Azure Key Vault before this section as I think this is the standard way.

Then download the public cer file to add to the App registration.

Greetings Damien

@jennyf19:
Do you want to please update the wiki to add a section on how to generate certificate in KeyVault?

Thanks @damienbod

Was this page helpful?
0 / 5 - 0 ratings