Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IdentityServer4 access token after server reboot

I have implemented a Web API incorporating IdentityServer4 authentication as part of the web service.

If I reboot the server access tokens issued before the reboot are no longer valid. I am persisting the IdentityServer data with AddConfigurationStore and AddOperationalStore.

Am I incorrect in thinking that the access tokens should been persisted ?

like image 892
Graham Wright Avatar asked Oct 30 '22 08:10

Graham Wright


1 Answers

An asymmetric key pair is used by IdentityServer4 to sign and validate JWTs. You should also persist this pair in addition to AddOperationalStore call. As described in documentation:

AddSigningCredential

Adds a signing key service that provides the specified key material to the various token creation/validation services. You can pass in either an X509Certificate2, a SigningCredential or a reference to a certificate from the certificate store.

AddDeveloperSigningCredential

Same purpose as the temporary signing credential. But this version persists the key to the file system so it stays stable between server restarts. This addresses issues when the client/api metadata caches get out of sync during development.

More info: Cryptography, Keys and HTTPS.

AddSigningCredential example: GitHub.

P.S. I guess AddOperationalStore stores refresh tokens only and it's by design.

like image 102
Ilya Chumakov Avatar answered Jan 02 '23 20:01

Ilya Chumakov