DefaultKeyResolution.ShouldGenerateNewKey has altered meaning
DefaultKeyResolution.ShouldGenerateNewKey no longer reflects whether the default key is close to its expiration time.
Version introduced
ASP.NET Core 9.0 Preview 3
Previous behavior
It was an undocumented, but consistent, feature of the API that ShouldGenerateNewKey was true if the default key was within two days (an oversimplification) of its expiration time. The amount of lead time was based on the polling interval of ICacheableKeyRingProvider, which was not something IDefaultKeyResolver.ResolveDefaultKeyPolicy should have depended upon (since, for example, alternative implementations would probably not be aware of these details).
New behavior
Starting in .NET 9, if ShouldGenerateNewKey is true, it indicates that either there's no default key or that for some other policy reason (in a specialized implementation of IDefaultKeyResolver), a new key should be generated. The ICacheableKeyRingProvider makes its own decision about whether the expiration time is close enough to warrant generating a new key.
Type of breaking change
This change is a behavioral change.
Reason for change
This change was made for two reasons:
- To change the logic around key generation near expiration time.
- To make it simpler to implement a custom
IDefaultKeyResolver.
Recommended action
If you have an IDefaultKeyResolver implementation that tries to replicate the expiry logic, you can remove that logic (however, leaving it is fine as well).
If you were consuming IDefaultKeyResolver directly to determine whether expiration was pending, you can check the default key's ExpirationDate property directly.
Affected APIs
Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.DefaultKeyResolution.ShouldGenerateNewKey
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for