We are using IdentityServer4 with .NET Core Web Application("http://docs.identityserver.io/en/release/quickstarts/0_overview.html"). We have replaced AddDeveloperSigningCredential
with AddSigningCredential(CreateSigningCredential())
. As we cannot use AddDeveloperSigningCredential
for production environment because on production needs to be replaced by some persistent key material. We are new to IdentityServer4 and our question is that, Is following approach fine to create signing credentials on production environment? Or do we need to made some changes in this?
Here is our startup.cs file:
public void ConfigureServices(IServiceCollection services) { services.AddSingleton<IConfiguration>(Configuration); //connection string string connectionString = Configuration.GetConnectionString("IdentityServer"); var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name; services.AddIdentityServer().AddDeveloperSigningCredential .AddSigningCredential(CreateSigningCredential()) // this adds the config data from DB (clients, resources) .AddConfigurationStore(options => { options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly)); }) // this adds the operational data from DB (codes, tokens, consents) .AddOperationalStore(options => { options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly)); // this enables automatic token cleanup. this is optional. options.EnableTokenCleanup = true; options.TokenCleanupInterval = 30; }); } private SigningCredentials CreateSigningCredential() { var credentials = new SigningCredentials(GetSecurityKey(), SecurityAlgorithms.RsaSha256Signature); return credentials; } private RSACryptoServiceProvider GetRSACryptoServiceProvider() { return new RSACryptoServiceProvider(2048); } private SecurityKey GetSecurityKey() { return new RsaSecurityKey(GetRSACryptoServiceProvider()); }
AddSigningCredential. Adds a signing key that provides the specified key material to the various token creation/validation services. AddDeveloperSigningCredential. Creates temporary key material at startup time.
IdentityServer is an authentication server that implements OpenID Connect (OIDC) and OAuth 2.0 standards for ASP.NET Core. It's designed to provide a common way to authenticate requests to all of your applications, whether they're web, native, mobile, or API endpoints.
The new Duende IdentityServer continues to be open source, but now has a dual license. This license allows it to be used for free for development, testing, and learning, free for non-commercial open source, and free for use in commercial settings if the entity or organization makes less than 1 million USD/year.
Here is a gist that should help for Ids4 with asp.net core 2.x.
It contains an RsaKeyService
class that can be injected into the service provider like:
var rsa = new RsaKeyService(Environment, TimeSpan.FromDays(30)); services.AddTransient<RsaKeyService>(provider => rsa);
This makes sure, that an RSA key is used for 30 days at most, before a new one is re-generated.
To use the key, you can call rsa.GetKey()
, and to register as a signing credential, use:
builder.AddSigningCredential(rsa.GetKey());
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With