Menu
We are in the process of implementing Identity Server 4 with our .NET Core web app.
I went trough the Identity Server documentation. When configuring the Identity server (using DI) there is the line:
.AddTemporarySigningCredential I'm trying to understand what this Signing credential is but couldn't figure out. Therefore I don't know if it's ok to use the built in temporary, or if I should provide a different one.
My question is, what is a signing credential and how should I use it?
In the Identity server documentation this is the definition:
Adds a signing key service that provides the specified key material to the various token creation/validation services. You can pass in either an X509Certificate2, a SigningCredential or a reference to a certificate from the certificate store.
So it seems important :)
356
A digitally-signed credential is a statement that provides proof of a learning achievement of an individual. These credentials are typically used to qualify for job positions, university placements and more.
A self signed ECDsa certificate can be created using the CertificateManager NewECDsaSelfSignedCertificate method. The RSA and the ECDsa certificate can then be created and exported as a pfx file. The certificate pfx exports can then be used in IdentityServer4.
Updating the Identity Signing CertificateOpen Manage Computer Certificates app, from Start->Run->type certlm. msc and OK. Go to the personal node and locate the certificate. Open the certificate and go to the 'Details' tab and get the thumbprint.
IdentityServer gives you full control over your UI, UX, business logic, and data. In IdentityServer, customizing your workflows is not an afterthought. Our APIs and extensibility points allow adapting to your workflows and business rules without having to find complicated workarounds.
The Authorization Server will sign tokens with a key. Resource Server(s) should verify that the token's integrity with a key. Together they form a (usually asymmetric, e.g. public/private) key (pair). By default IdentityServer will publish the public key for verifying tokens via the /.well-known/openid-configuration endpoint.
For development scenarios, you typically want to skip the fuss of properly managing secrets like said keys (which is really important to do properly in production!). For these development scenarios you have the option of using adhoc solutions like AddTemporarySigningCredential, which was used for .NET Core 1.x.
With .NET Core 2.x this will change and you will need the AddDeveloperSigningCredential() extension method.
That answers the question of what it is. On how to use it: you simply call the method you need depending on your .NET Core version inside the ConfigureServices(...) method of your application's Startup class.
Apart from that you don't need to do anything special, except of course take care that you use a proper key pair in production.
See also the docs on Cryptography, Keys and HTTPS and the bit on Configuring Services for Keys. From the latter document, here's a relevant alternative for production cases:
AddSigningCredentialAdds a signing key service that provides the specified key material to the various token creation/validation services. You can pass in either an
X509Certificate2, aSigningCredentialor a reference to a certificate from the certificate store.
117
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
