How do I configure "key material" in Identity Server 4 to use SQL, KeyVault, or any other system?

The source code for ID4 asks us to "configure key material" for use in production.

enter image description here

I've used the following Powershell script to create keys suitable for Identity Server 4.

// (not necessary for this question, but others may find this useful)

[CmdletBinding()]
param(
    [Parameter(Mandatory=$true)][string]$password = "",
    [Parameter(Mandatory=$true)][string]$rootDomain = ""
)

#https://mcguirev10.com/2018/01/04/localhost-ssl-identityserver-certificates.html#identityserver-token-credentials
$cwd = Convert-Path .
$sCerFile = "$cwd\token_signing.cer"
$sPfxFile = "$cwd\token_signing.pfx"
$vCerFile = "$cwd\token_validation.cer"
$vPfxFile = "$cwd\token_validation.pfx"

# abort if files exist
if((Test-Path($sPfxFile)) -or (Test-Path($sCerFile)) -or (Test-Path($vPfxFile)) -or (Test-Path($vCerFile)))
{
    Write-Warning "Failed, token_signing or token_validation files already exist in current directory."
    Exit
}

function Get-NewCert ([string]$name)
{
    New-SelfSignedCertificate `
        -Subject $rootDomain `
        -DnsName $rootDomain `
        -FriendlyName $name `
        -NotBefore (Get-Date) `
        -NotAfter (Get-Date).AddYears(10) `
        -CertStoreLocation "cert:CurrentUser\My" `
        -KeyAlgorithm RSA `
        -KeyLength 4096 `
        -HashAlgorithm SHA256 `
        -KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `
        -Type Custom,DocumentEncryptionCert `
        -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
}

$securePass = ConvertTo-SecureString -String $password -Force -AsPlainText

# token signing certificate
$cert = Get-NewCert("IdentityServer Token Signing Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)  
Export-PfxCertificate -Cert $store -FilePath $sPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $sCerFile
Write-Host "Token-signing thumbprint: " $cert.Thumbprint

# token validation certificate
$cert =  Get-NewCert("IdentityServer Token Validation Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)  
Export-PfxCertificate -Cert $store -FilePath $vPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $vCerFile
Write-Host "Token-validation thumbprint: " $cert.Thumbprint

Are there any implementations, or sample implementations, that have a placeholder to clearly tell me where to implement the key fetch function, and also instruction on how to add that into the Startup.cs correctly?

I'm still trying to understand the ASP.NET Core Startup/Configuration/Kestra configuration process, and this is where I'm getting stuck.

How do I manage key material?
What object do I override, and how do I configure ID4 to use it?

Is Identity Server 4 still free?

About IdentityServer4IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core.

What is the latest version of Identity Server?

IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core. As of Oct, 1st 2020, we started a new company. All new development will happen in our new organization.

What is Microsoft Identity Server?

IdentityServer is an authentication server that implements OpenID Connect (OIDC) and OAuth 2.0 standards for ASP.NET Core. It's designed to provide a common way to authenticate requests to all of your applications, whether they're web, native, mobile, or API endpoints.

You can configure the signing key by using IIdentityServerBuilder api:

builder.AddSigningCredential(myKeyMaterial);

You've got the below available overloads for this:

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, SigningCredentials credential)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, X509Certificate2 certificate)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, string name, StoreLocation location = StoreLocation.LocalMachine, NameType nameType = NameType.SubjectDistinguishedName)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, RsaSecurityKey rsaKey)

Here is an example from one of my projects using the X509 certificate by subject name from local machine certificate store:

    private static void AddCertificateFromStore(this IIdentityServerBuilder builder,
        IConfiguration options)
    {
        var subjectName = options.GetValue<string>("SubjectName");

        var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        store.Open(OpenFlags.ReadOnly);

        var certificates = store.Certificates.Find(X509FindType.FindBySubjectName, subjectName, true);

        if (certificates.Count > 0)
        {
            builder.AddSigningCredential(certificates[0]);
        }
        else
            Log.Error("A matching key couldn't be found in the store");
    }

With such extension method, you can use it as per below (I like to use hosting environment to determine whether to add developer default signing credentials or production credentials):

        if (environment.IsDevelopment())
        {
            identityServerBuilder.AddDeveloperSigningCredential();
        }
        else
        {
            identityServerBuilder.AddCertificateFromStore(configuration);
        }

How do I configure "key material" in Identity Server 4 to use SQL, KeyVault, or any other system?

Tags:

asp.net-core

azure-web-app-service

identityserver4

TLDR

People also ask

1 Answers

Vidmantas Blazevicius

Recent Activity

Donate For Us

How do I configure "key material" in Identity Server 4 to use SQL, KeyVault, or any other system?

Tags:

asp.net-core

azure-web-app-service

identityserver4

TLDR

People also ask

1 Answers

Vidmantas Blazevicius

Related questions

Recent Activity

Donate For Us