When using Azure Active Directory B2C (AAD B2C) for authentication and authorization, how do you configure NGINX Plus to validate the issued JWT at the edge for a single application when using multiple sign-in policies each using different token signing keys?
When using Azure Active Directory B2C, you can get the required JWK by issuing the following command:
curl -sS https://login.microsoftonline.com/<your_tenant_name_or_id>//discovery/v2.0/keys
However, if you're working on a more complex identity solution (e.g. white label, user creation/registration into multiple systems, etc.) then you're likely using custom policies via the Identity Experience Framework (IEF). If this is the case, you may have multiple token signing keys configured throughout your policies. This normally doesn't pose a problem since you can actually retrieve the JWK for that policy by just appending ?p=<policy_name>
to the above request (e.g. curl -sS https://login.microsoftonline.com/<your_tenant_name_or_id>//discovery/v2.0/keys?p=b2c_1_sign_in
). It becomes a bit more challenging when you have multiple sign-in policies each with their own token signing key that are used for the same application and want NGINX to validate the JWTs for all of the policies in the same NGINX config file. To do this you'll need to combine all of the JWKs into a single JWK and then set auth_jwt_key_file /etc/nginx/<name_of_combined_json_web_key>.jwk
. This isn't too difficult to code, but here is a GitHub Gist I put together to help: build-aad-b2c-combined-policy-jwk.py.
You can save the combined JWK from the script by sending the output to a file. Example:
>> python build-aad-b2c-combined-policy-jwk.py --tenant_url https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com --policies b2c_1_sign_in,b2c_1a_another_policy > /etc/nginx/azure_active_directory.jwk
Also, given that keys can and should be rotated, be sure to setup a cron job or some sort of scheduler to update the combined JWK with the latest keys on a regular basis.