I'm fairly new to using encryption and rsa tokens and I'm trying to get IDentityServer4 to not use the developersigning, but one of my own. Here is what I have tried so far:
var keyInfo = new RSACryptoServiceProvider().ExportParameters(true);
var rsaSecurityKey = new RsaSecurityKey(new RSAParameters
{
D = keyInfo.D,
DP = keyInfo.DP,
DQ = keyInfo.DQ,
Exponent = keyInfo.Exponent,
InverseQ = keyInfo.InverseQ,
Modulus = keyInfo.Modulus,
P = keyInfo.P,
Q = keyInfo.Q
});
services.AddIdentityServer()
.AddSigningCredential(rsaSecurityKey)
.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddAspNetIdentity<User>();
However, when I run Identity Server4 and I get redirected to sign in page from another website, I get the following error:
IDX10630: The '[PII is hidden]' for signing cannot be smaller than '[PII is hidden]' bits. KeySize: '[PII is hidden]'. Parameter name: key.KeySize
I have to admit, I've been on this all weekend, trying to figure out how to use SigningCredentials and I'm not really sure what I've done wrong above.
You can see more details in development by adding the following to Configure() in the Startup class:
if (env.IsDevelopment())
{
IdentityModelEventSource.ShowPII = true;
}
For those who are having the same problem:
The ShowPII
configuration is set globally, it's a static property of IdentityModelEventSource
and can be set in the Startup class, for example. Once I added it I could see that it was throwing a InvalidIssuer exception for token validation. For me it was related to how I was generating the JWT to communicate with my API (which is protected with Identity Server 4). I was generating the token over the url: http://localhost:5002
(out side of docker-compose network) which is different them the url Identity Server issuer inside my API: http://<<docker-service-name>>
. So, if you are using docker-compose and manage to use your Identity Server as a separated container inside the same docker-compose, be aware that your authentication should generate a token with IDENTICAL issuer that is used in your API.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With