How to reset OpenIdConnectConfiguration when IssuerSigningKeys changes?

[oledid]

Hi

I have previously asked this question on stackoverflow, but I haven't gotten an answer.

.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
            {
                var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>("https://accounts.google.com/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
                options.Configuration = configurationManager.GetConfigurationAsync().Result;

options.TokenValidationParameters = new TokenValidationParameters
                {
                    NameClaimType = "name",
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKeys = options.Configuration.SigningKeys
                };

Provider changes their keys:

System.Exception: An error was encountered while handling the remote login.
 ---> Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key: 
kid: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.

With an app that is always running, is there a way to refresh the info from the .well-known when the OpenID Connect provider changes their certs? Right now I'm stuck with resetting the azure app service when it happens.

[Tratcher]

SecurityTokenSignatureKeyNotFoundException will automatically trigger a refresh from the ConfigurationManager.

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs

Lines 765 to 772 in f54b590

	if (Options.RefreshOnIssuerKeyNotFound && exception is SecurityTokenSignatureKeyNotFoundException)
	{
	if (Options.ConfigurationManager != null)
	{
	Logger.ConfigurationManagerRequestRefreshCalled();
	Options.ConfigurationManager.RequestRefresh();
	}
	}

Why are you forcibly resolving the keys up front from the ConfigurationManager rather than passing the configuration manager to OpenIdConnectOptions?

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs

Line 134 in f54b590

public IConfigurationManager<OpenIdConnectConfiguration> ConfigurationManager { get; set; }

[oledid]

Thanks. I must have misunderstood how to use the api.

Are you saying that this should sove my problem?

.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
			{
				var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Configuration["Google:WellKnown"], new OpenIdConnectConfigurationRetriever());
				//options.Configuration = configurationManager.GetConfigurationAsync().Result; // removed
				options.ConfigurationManager = configurationManager; // added

Edit: Or I can just set options.MetadataAddress, which will create a ConfigurationManager. Thanks!

[Tratcher]

Yeah, there are a lot of properties there to allow for customization, but MetadataAddress is all you need for the basic scenario.