Hi,

the last step of this migration has now been completed, and the only certificate returned from the JWKS endpoint is the new certificate.

Best regads,
Olav Morken
Uninett / Feide


From: updates-request@feide.no <updates-request@feide.no> on behalf of Olav Morken <updates@feide.no>
Sent: Tuesday, August 17, 2021 13:06
To: updates@feide.no <updates@feide.no>; support@feide.no <support@feide.no>
Subject: Re: [Feide Updates] Feide OpenID Connect certificate change Monday 16 August until Thursday 19 August
 
Hi,

the second step of this process has now been completed, and we are using the new certificate to sign our ID tokens.

If your service experiences any problems authenticating users, it may be necessary to force the service to refresh its list of valid signature keys.

Best regards,
Olav Morken
Uninett / Feide

From: updates-request@feide.no <updates-request@feide.no> on behalf of Olav Morken <updates@feide.no>
Sent: Monday, August 16, 2021 13:15
To: updates@feide.no <updates@feide.no>
Subject: Re: [Feide Updates] Feide OpenID Connect certificate change Monday 16 August until Thursday 19 August
 
Hi,

the first step of this process has now been completed. We currently return both the existing and the new certificate from the JSON Web Key Set endpoint at https://auth.dataporten.no/openid/jwks.

Best regards,
Olav Morken
Uninett / Feide


From: updates-request@feide.no <updates-request@feide.no> on behalf of Olav Morken <updates@feide.no>
Sent: Thursday, August 12, 2021 07:12
To: updates@feide.no <updates@feide.no>
Subject: [Feide Updates] Feide OpenID Connect certificate change Monday 16 August until Thursday 19 August
 
OpenID Connect ID-tokens issued by Feide are signed using a certificate that expires Wednesday 6 October 2021. To prevent any compatibility issues, we will be replacing this certificate in week 33 (Monday 16 August until Thursday 19 August).

Most applications are configured to automatically fetch updated certificate information from the OpenID Connect provider. For those applications, no change should be required during this process. However, you may want to keep an eye on your application Tuesday 17 August at 13:00, which is the time that we switch to issuing ID-tokens using the new certificate. If you see any problems, you may need to force the application to refresh its configuration.

The new certificate will be deployed using a key rollover. This happens in three stages:
  • Monday 16 August at 13:00: We will add the new certificate to the list of valid certificates for our OpenID Connect provider. When OpenID Connect clients fetch our configuration, they will receive a list of two valid certificates from the JSON Web Key Set endpoint at https://auth.dataporten.no/openid/jwks.
  • Tuesday 17 August at 13:00: We will configure our OpenID Connect provider to start issuing ID-tokens using the new certificate.
  • Thursday 19 August at 13:00: We will remove the old certificate from our configuration. After this time, our OpenID Connect will only return the new certificate from the JSON Web Key Set endpoint.
If you have any questions or concerns about this change, please contact us at kontakt@uninett.no.

Best regards,
Olav Morken
Uninett / Feide