I have implemented a Web API incorporating IdentityServer4 authentication as part of the web service.
If I reboot the server access tokens issued before the reboot are no longer valid. I am persisting the IdentityServer data with AddConfigurationStore and AddOperationalStore.
Am I incorrect in thinking that the access tokens should been persisted ?
An asymmetric key pair is used by IdentityServer4 to sign and validate JWTs. You should also persist this pair in addition to AddOperationalStore
call. As described in documentation:
AddSigningCredential
Adds a signing key service that provides the specified key material to the various token creation/validation services. You can pass in either an
X509Certificate2
, aSigningCredential
or a reference to a certificate from the certificate store.AddDeveloperSigningCredential
Same purpose as the temporary signing credential. But this version persists the key to the file system so it stays stable between server restarts. This addresses issues when the client/api metadata caches get out of sync during development.
More info: Cryptography, Keys and HTTPS.
AddSigningCredential
example: GitHub.
P.S. I guess AddOperationalStore
stores refresh tokens only and it's by design.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With