Jnchi
commented
5 years ago Static keys don't allow for rolling changes with Microsoft's public key.
It is important to note that these keys rollover on a periodic basis and, in an emergency, could be rolled over immediately. All applications that use Azure AD should be able to programmatically handle the key rollover process or establish a periodic manual rollover process.
As Microsoft states here, those applications that roll their own API interaction instead of using a supported azure library will have to be wary to update public keys.
As a security-critical application, we cannot afford to have a static key that needs updating.
We must be able to poll Microsoft's key repository to ensure our key is up-to-date. I used a node library to convert the jwk to a pem file that openssl could use for validation previously, but I'll have to do it in C code (
int jwk_to_pem_rsa(cJSON jwk){...}) instead.
aadd - Azure Active Directory Daemon?
Source: src/getkeys.c
See also: pam_ftp, pam_mkhomedir, pam_userdb
Static keys don't allow for rolling changes with Microsoft's public key.
As Microsoft states here, those applications that roll their own API interaction instead of using a supported azure library will have to be wary to update public keys.
As a security-critical application, we cannot afford to have a static key that needs updating.
We must be able to poll Microsoft's key repository to ensure our key is up-to-date. I used a node library to convert the jwk to a pem file that openssl could use for validation previously, but I'll have to do it in C code (
int jwk_to_pem_rsa(cJSON jwk){...}) instead.