ASP.NET Core OpenIdConnectServer data protection keys location

Question

Hello,

In my ASP.NET Core application I'm using an OpenIdConnectServer for Api authentication. Everything works fine.

But there is one thing I cannot resolve - how to set custom folder for persisting token signing keys?

In service configuration I have:

services.AddDataProtection()
        .PersistKeysToFileSystem(new DirectoryInfo(@"keys/"));

After first run, an application key is created there. But the OpenIdServer manages the keys somehow by itself.

app.UseOpenIdConnectServer(options => {
    ...
    options.DataProtectionProvider = app.ApplicationServices.GetDataProtectionProvider();
    ...
});

Despite that, the credentials signing key is created in default location:

 A new RSA key ... persisted on the disk: /home/.../.aspnet/aspnet-contrib/oidc-server/<some guid>.key.

Is that bug or a feature? How can I force the server to store the keys also in the keys/ folder?

---

Abstract - why I'm doing this:

My idea is to build an API from n docker images of this, hide it behind an load ballancer and run somewhere in the cloud. The problem is - when every instance in docker creates it's own application&signing key, the encrypted auth token will not work for any other instance except the one, that has created and signed the token with it's key. Therefore, I'm trying to distribute the same keys to every docker image running. To an pre-defined application folder, if possible.

Or is there any better approach or best practice?

---

Thanks you in advance.

Answer 1

Well, I figured it out.

First, we have to generate a x509 certificate (with private key) as described here

openssl genrsa -out private.key 1024
openssl req -new -x509 -key private.key -out publickey.cer -days 365
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in publickey.cer

Copy it to the folder you like, key/certificate.pfx in this case.

Then, gently insert your new certificate to OpenIdConnectServer:

appsettings.json

"Keys": {
    "CertificatePath": "keys/certificate.pfx",
    "CertificatePassword": "<password you provider>"
}

Startup.cs

private X509Certificate2 CreateOauthCertificate(){
        var path = Configuration["Keys:CertificatePath"];
        var password = Configuration["Keys:CertificatePassword"];
        return new X509Certificate2(path, password);
    }

Starup.cs - Configure

app.UseOpenIdConnectServer(
    ...
    options.SigningCredentials.AddCertificate(CreateOauthCertificate());
    ...
});

Now I'm curious if there is a better way or not.

But this works.

Regards