IdentityServer4 access token after server reboot

Question

I have implemented a Web API incorporating IdentityServer4 authentication as part of the web service.

If I reboot the server access tokens issued before the reboot are no longer valid. I am persisting the IdentityServer data with AddConfigurationStore and AddOperationalStore.

Am I incorrect in thinking that the access tokens should been persisted ?

Answer 1

An asymmetric key pair is used by IdentityServer4 to sign and validate JWTs. You should also persist this pair in addition to AddOperationalStore call. As described in documentation:

AddSigningCredential

Adds a signing key service that provides the specified key material to the various token creation/validation services. You can pass in either an X509Certificate2, a SigningCredential or a reference to a certificate from the certificate store.

AddDeveloperSigningCredential

Same purpose as the temporary signing credential. But this version persists the key to the file system so it stays stable between server restarts. This addresses issues when the client/api metadata caches get out of sync during development.

More info: Cryptography, Keys and HTTPS.

AddSigningCredential example: GitHub.

P.S. I guess AddOperationalStore stores refresh tokens only and it's by design.