Azure KeyVault Cache Invalidation

suvra jyoti 151 Reputation points

We have created an Azure App Registration for a confidential Client Application web app to use Azure AD as the IDP. We are using certificate for the same instead of secret. So the app uses the Cleint ID and the Certificate as the credentials to authenticate any user who wants to login using his Azure AD credentials.

We are using KeyVault for storing the Certificate and using managed identity of the App Service that hosts the Client application to access the same. The Certificate is not from an integrated CA but from CA's like GoDaddy. For the Intimation of the Certificate expiry(certificate expiry will be lets say after 6m/1 yr )we have used the inbuilt feature of the KV to send email notification 30 days prior to expiry to a set of people who would generate a new Certificate and then update the same in the App Registration and the KeyVault both.

The Azure KeyVault SDK has caching. Now when the old certificate expires on a particular date the new certificate will not be used by the application immediately as caching will be in effect. We need to invalidate this so that the User experience is not affected because when App Registrations old certificate from the KeyVault cache will be used to login the user the user will not be given access. We can of course handle this code by checking the exception and reloading i.e Iconfiguration.Reload(). But this will require the user to re-login again. The issue becomes more pronounced since we have current scale out setting set to min 2 instances and max 10 instance as scale setting for the App Service that hosts the confidential client web app above.
So situation can be like this:

  • User tries to login -> request is served by instance 1 -> cached certficate is used -> login fails -> cache invalidated -> User asked to re-login again
  • The same user tries to login again -> request is served by instance 2 , again the same process as above

We can do App restart by doing rolling restart during business hours of low traffic, do we not have a better way to handle this scenario more of automation approach?

Let me know if additional details are required.


Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,180 questions
A set of technologies in the .NET Framework for building web applications and XML web services.
4,360 questions
A set of technologies in the .NET Framework for building web applications and XML web services.
3,404 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,451 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,601 Reputation points

    Hello @suvra jyoti ,

    Thanks for detailed information.

    If I remember, the primary Key Vault SDKs don't have any caching. Are you referring to Azure.Extensions.AspNetCore.Configuration.Secrets by chance? which will cache secrets, but that has the option to set a reload interval to periodically refresh secrets.

    To hear from experts, I've added AspNetCore tags to this thread.

    Hope this helps and thanks for your patience throughout this issue. Thanks.

    0 comments No comments