Menu
The source code for ID4 asks us to "configure key material" for use in production.
I've used the following Powershell script to create keys suitable for Identity Server 4.
// (not necessary for this question, but others may find this useful)
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)][string]$password = "",
[Parameter(Mandatory=$true)][string]$rootDomain = ""
)
#https://mcguirev10.com/2018/01/04/localhost-ssl-identityserver-certificates.html#identityserver-token-credentials
$cwd = Convert-Path .
$sCerFile = "$cwd\token_signing.cer"
$sPfxFile = "$cwd\token_signing.pfx"
$vCerFile = "$cwd\token_validation.cer"
$vPfxFile = "$cwd\token_validation.pfx"
# abort if files exist
if((Test-Path($sPfxFile)) -or (Test-Path($sCerFile)) -or (Test-Path($vPfxFile)) -or (Test-Path($vCerFile)))
{
Write-Warning "Failed, token_signing or token_validation files already exist in current directory."
Exit
}
function Get-NewCert ([string]$name)
{
New-SelfSignedCertificate `
-Subject $rootDomain `
-DnsName $rootDomain `
-FriendlyName $name `
-NotBefore (Get-Date) `
-NotAfter (Get-Date).AddYears(10) `
-CertStoreLocation "cert:CurrentUser\My" `
-KeyAlgorithm RSA `
-KeyLength 4096 `
-HashAlgorithm SHA256 `
-KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `
-Type Custom,DocumentEncryptionCert `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
}
$securePass = ConvertTo-SecureString -String $password -Force -AsPlainText
# token signing certificate
$cert = Get-NewCert("IdentityServer Token Signing Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)
Export-PfxCertificate -Cert $store -FilePath $sPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $sCerFile
Write-Host "Token-signing thumbprint: " $cert.Thumbprint
# token validation certificate
$cert = Get-NewCert("IdentityServer Token Validation Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)
Export-PfxCertificate -Cert $store -FilePath $vPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $vCerFile
Write-Host "Token-validation thumbprint: " $cert.Thumbprint
Are there any implementations, or sample implementations, that have a placeholder to clearly tell me where to implement the key fetch function, and also instruction on how to add that into the Startup.cs correctly?
I'm still trying to understand the ASP.NET Core Startup/Configuration/Kestra configuration process, and this is where I'm getting stuck.
676
About IdentityServer4IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core.
IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core. As of Oct, 1st 2020, we started a new company. All new development will happen in our new organization.
IdentityServer is an authentication server that implements OpenID Connect (OIDC) and OAuth 2.0 standards for ASP.NET Core. It's designed to provide a common way to authenticate requests to all of your applications, whether they're web, native, mobile, or API endpoints.
You can configure the signing key by using IIdentityServerBuilder api:
builder.AddSigningCredential(myKeyMaterial);
You've got the below available overloads for this:
public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, SigningCredentials credential)
public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, X509Certificate2 certificate)
public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, string name, StoreLocation location = StoreLocation.LocalMachine, NameType nameType = NameType.SubjectDistinguishedName)
public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, RsaSecurityKey rsaKey)
Here is an example from one of my projects using the X509 certificate by subject name from local machine certificate store:
private static void AddCertificateFromStore(this IIdentityServerBuilder builder,
IConfiguration options)
{
var subjectName = options.GetValue<string>("SubjectName");
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certificates = store.Certificates.Find(X509FindType.FindBySubjectName, subjectName, true);
if (certificates.Count > 0)
{
builder.AddSigningCredential(certificates[0]);
}
else
Log.Error("A matching key couldn't be found in the store");
}
With such extension method, you can use it as per below (I like to use hosting environment to determine whether to add developer default signing credentials or production credentials):
if (environment.IsDevelopment())
{
identityServerBuilder.AddDeveloperSigningCredential();
}
else
{
identityServerBuilder.AddCertificateFromStore(configuration);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
