We have created an Azure App Registration for a confidential Client Application web app to use Azure AD as the IDP. We are using certificate for the same instead of secret. So the app uses the Cleint ID and the Certificate as the credentials to authenticate any user who wants to login using his Azure AD credentials.
We are using KeyVault for storing the Certificate and using managed identity of the App Service that hosts the Client application to access the same. The Certificate is not from an integrated CA but from CA's like GoDaddy. For the Intimation of the Certificate expiry(certificate expiry will be lets say after 6m/1 yr )we have used the inbuilt feature of the KV to send email notification 30 days prior to expiry to a set of people who would generate a new Certificate and then update the same in the App Registration and the KeyVault both.
The Azure KeyVault SDK has caching. Now when the old certificate expires on a particular date the new certificate will not be used by the application immediately as caching will be in effect. We need to invalidate this so that the User experience is not affected because when App Registrations old certificate from the KeyVault cache will be used to login the user the user will not be given access. We can of course handle this code by checking the exception and reloading i.e Iconfiguration.Reload(). But this will require the user to re-login again. The issue becomes more pronounced since we have current scale out setting set to min 2 instances and max 10 instance as scale setting for the App Service that hosts the confidential client web app above.
So situation can be like this:
- User tries to login -> request is served by instance 1 -> cached certficate is used -> login fails -> cache invalidated -> User asked to re-login again
- The same user tries to login again -> request is served by instance 2 , again the same process as above
We can do App restart by doing rolling restart during business hours of low traffic, do we not have a better way to handle this scenario more of automation approach?
Let me know if additional details are required.
Thanks,
SuvraJyoti