Hello,
In my ASP.NET Core application I'm using an OpenIdConnectServer for Api authentication. Everything works fine.
But there is one thing I cannot resolve - how to set custom folder for persisting token signing keys?
In service configuration I have:
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(@"keys/"));
After first run, an application key is created there. But the OpenIdServer manages the keys somehow by itself.
app.UseOpenIdConnectServer(options => {
...
options.DataProtectionProvider = app.ApplicationServices.GetDataProtectionProvider();
...
});
Despite that, the credentials signing key is created in default location:
A new RSA key ... persisted on the disk: /home/.../.aspnet/aspnet-contrib/oidc-server/<some guid>.key.
Is that bug or a feature? How can I force the server to store the keys also in the keys/
folder?
Abstract - why I'm doing this:
My idea is to build an API from n docker images of this, hide it behind an load ballancer and run somewhere in the cloud. The problem is - when every instance in docker creates it's own application&signing key, the encrypted auth token will not work for any other instance except the one, that has created and signed the token with it's key. Therefore, I'm trying to distribute the same keys to every docker image running. To an pre-defined application folder, if possible.
Or is there any better approach or best practice?
Thanks you in advance.
Well, I figured it out.
First, we have to generate a x509 certificate (with private key) as described here
openssl genrsa -out private.key 1024
openssl req -new -x509 -key private.key -out publickey.cer -days 365
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in publickey.cer
Copy it to the folder you like, key/certificate.pfx
in this case.
Then, gently insert your new certificate to OpenIdConnectServer:
appsettings.json
"Keys": {
"CertificatePath": "keys/certificate.pfx",
"CertificatePassword": "<password you provider>"
}
Startup.cs
private X509Certificate2 CreateOauthCertificate(){
var path = Configuration["Keys:CertificatePath"];
var password = Configuration["Keys:CertificatePassword"];
return new X509Certificate2(path, password);
}
Starup.cs - Configure
app.UseOpenIdConnectServer(
...
options.SigningCredentials.AddCertificate(CreateOauthCertificate());
...
});
Now I'm curious if there is a better way or not.
But this works.
Regards
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With