Problem statement
I use Auth0 Deploy CLI (version 7.3.1) to manage Auth0 configurations locally using a YAML file. Today, I exported the YAML settings with the a0deploy command to check if there were any differences with the Auth0 configurations. I compared this with a local YAML file that was created a year ago. Then, I noticed that there were differences in the values of this “thumbprints” field. The differences are as follows:
connections:
.
- name: ms-azure-ad
strategy: waad
.
thumbprints:
- - 9CEA37643ACE0D710AD63296857B251D1FCA5C48
- 977B10FB9D1C087E3105564B1D31B09D247BEBCD
- 32BE7E01489B7C18A2ECD7758C179B6B16E85D6D
- 8D2D57A353960E3FF9DAF6F018D82F40ED95CCC7
- D994292775296E30185D819A5C4265F255744CE2
+ - F8A23743D9CD47B6D1A1FC66799A17A9B1D919EC
- 0EA52EF207FE9C081CCA33F7F92BA994D0170277
- 3B36790DB99CB28F50CEDD8CA1D1A68A1837D01A
I have three questions:
(1) What is this “thumbprints” field?
(2) Who updates this “thumbprints” field and when does it get updated?
(3) Should the local YAML file also be updated to match if the “thumbprints” have been updated on Auth0’s side?
For the third question, I am concerned that using a YAML file specified with old thumbprints for import with a0deploy might cause an error in the connection with Azure AD.
Solution
These thumbprints are based on the certificates stored on the Azure AD side. Auth0 reaches out to Azure daily to update that list of thumbprints based on the available certificates being used by Azure since they can be rotated without notice. Even though the Azure AD connection is using the OIDC protocol, that protocol will make use of thumbprints/certificates since it will need those values to validate the signature in the issued JWT tokens.
It is recommended to keep that list of ‘thumbprints’ intact during imports/exports since without those values, you would likely begin seeing issues with the connection due to thumbprints either being missing or miscalculated.