Description
DefaultKeyResolution.ShouldGenerateNewKey no longer reflects whether the default key is close to its expiration time.
Version
.NET 9 Preview 3
Previous behavior
It was an undocumented, but consistent, feature of the API that ShouldGenerateNewKey would be true if the default key was within two days (an over-simplification) of its expiration time. The amount of lead time was based on the polling interval of ICacheableKeyRingProvider, which was not something IDefaultKeyResolver.ResolveDefaultKeyPolicy should have depended upon (since, for example, alternative implementations would probably not be aware of these details).
New behavior
If ShouldGenerateNewKey is true, it now indicates that either there is no default key or that for some other policy reason (i.e. in a specialized implementation of IDefaultKeyResolver, a new key should be generated. The ICacheableKeyRingProvider will make its own decision about whether the expiration time is close enough to warrant generating a new key.
Type of breaking change
Reason for change
First, we wanted to change the logic around key generation near expiration time and, second, this makes it more straightforward to implement a custom IDefaultKeyResolver.
Note that the documentation for this type already states that "This API supports infrastructure and is not intended to be used directly from your code. This API may change or be removed in future releases."
Recommended action
If you have an IDefaultKeyResolver implementation that tries to replicate the expiry logic, that logic can be removed (however, leaving it is fine as well).
If you were consuming IDefaultKeyResolver directly, for the express purpose of determining whether expiration was pending and that continues to be important, you can the default key's ExpirationDate property directly.
Affected APIs
Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.DefaultKeyResolution.ShouldGenerateNewKey
Description
DefaultKeyResolution.ShouldGenerateNewKeyno longer reflects whether the default key is close to its expiration time.Version
.NET 9 Preview 3
Previous behavior
It was an undocumented, but consistent, feature of the API that
ShouldGenerateNewKeywould be true if the default key was within two days (an over-simplification) of its expiration time. The amount of lead time was based on the polling interval ofICacheableKeyRingProvider, which was not somethingIDefaultKeyResolver.ResolveDefaultKeyPolicyshould have depended upon (since, for example, alternative implementations would probably not be aware of these details).New behavior
If
ShouldGenerateNewKeyis true, it now indicates that either there is no default key or that for some other policy reason (i.e. in a specialized implementation ofIDefaultKeyResolver, a new key should be generated. TheICacheableKeyRingProviderwill make its own decision about whether the expiration time is close enough to warrant generating a new key.Type of breaking change
Reason for change
First, we wanted to change the logic around key generation near expiration time and, second, this makes it more straightforward to implement a custom
IDefaultKeyResolver.Note that the documentation for this type already states that "This API supports infrastructure and is not intended to be used directly from your code. This API may change or be removed in future releases."
Recommended action
If you have an
IDefaultKeyResolverimplementation that tries to replicate the expiry logic, that logic can be removed (however, leaving it is fine as well).If you were consuming
IDefaultKeyResolverdirectly, for the express purpose of determining whether expiration was pending and that continues to be important, you can the default key'sExpirationDateproperty directly.Affected APIs
Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.DefaultKeyResolution.ShouldGenerateNewKey