Using Json Web Keys from OpenID Connect discovery spec to work with JWT token authentication in Azure Media Services

Posted on

In my recent blogs post “Integrate Azure Media Services OWIN MVC based app with Azure Active Directory …” I described how you can utilize JWT token issued by Azure Active directory and provide group based permissions to watch videos hosted in Azure Media Services.
Sample from blog post was mentioning that Azure Active Directory have signing certificate rotation logic and developers need to detect this rotation and update public keys stored in Media Services in order to have JWT token signature verification to be working.

In latest 3.3.0.0 release Azure Media Services team added functionality to support OpenId Connect discovery spec and avoid problem with keys expiration due to rolling logic on identity provider side.
If you are using identity provider which is exposing OpenID connect discovery document (and majority of providers such as Azure Active Directory, Google, Salesforce does), you can instruct Azure Media services obtain signing keys for validation of JWT token from OpenID connect discovery spec.

OpenID Connect Discovery Spec and Json Web Keys (JWK)

OpenID Connect Discovery Spec defines how clients dynamically discover information about OpenID provider. It is JSON document published by provider and contains metadata information about how user system can interact with identity provider.

Here you can find example of discovery doc exposed by Azure Active Directory.

As you can see document has pointer to a resource where you can obtain JSON Web Keys (https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41.).
"jwks_uri":"https://login.windows.net/common/discovery/keys",

A JSON Web Key (JWK) document has collection of signing public keys used by Identity provider which you can use to verify JWT token signature.

Example of Azure Active Directory signing keys in Json Web Keys fromat:
https://login.windows.net/common/.well-known/openid-configuration

Example of Google Json Web Keys.https://accounts.google.com/.well-known/openid-configuration

Using OpenId Connect Discovery Spec together with Azure Media Services JWT token verification

Since Open ID Connect spec has all information regarding signing keys used to sign JWT token you don’t need anymore persist these signing keys in Azure Media Services. All you need to do is instruct Azure Media key delivery service is to use defined openid connect specification during JWT token validation.

Here is a modified code snippet from Azure AD integration example to create Authorization policy and instruct to use OpenId Connect spec for token validation.

You can see example changes in following commit

Tags: , ,