Question
I am using Azure ACS with my MVC4 client using passive redirection. I've configured Azure to issue JWT, and I'm using the new WIF JWT library for validating the token. This is all working just fine.
The problem that I am encountering is that Azure signs the JWT with the X.509 Certificate, rather than the Symmetric Key, which requires my MVC application to have the Certificate, which is annoying at the moment.
I know that the JWT support is in Beta, and that there are security issues with using a Symmetric Key (in that anyone with the Key could fake a token).
Is there some setting that I am missing? I tried making the Certificate the "Secondary" signing key in Azure, but this had no effect.
Solution
ACS chooses keys to sign a JWT in the following precedence order:
What you don't see anywhere on this list is a Symmetric service key, because there are security issues with using a symmetric key between more than two entities.
What this means is that your key needs to be associated with the relying party, not the namespace, as in the following screenshot.
https://stackoverflow.com/questions/18002886
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian