AddSigningCredential for IdentityServer4
We are using IdentityServer4 with .NET Core Web Application(\"http://docs.identityserver.io/en/release/quickstarts/0_overview.html\"). We have replaced AddDeveloperSigning
-
Here is a gist that should help for Ids4 with asp.net core 2.x.
It contains an
RsaKeyServiceclass that can be injected into the service provider like:var rsa = new RsaKeyService(Environment, TimeSpan.FromDays(30)); services.AddTransient<RsaKeyService>(provider => rsa);This makes sure, that an RSA key is used for 30 days at most, before a new one is re-generated.
To use the key, you can call
rsa.GetKey(), and to register as a signing credential, use:builder.AddSigningCredential(rsa.GetKey());讨论(0) -
I don't see anything persistent being loaded here so I'd have to say no, this is not suitable. I provided an example of loading a certificate here:
How we can replace AddDeveloperSigningCredential on AWS Serverless Lambda environment?
I suggest following that approach. You can deploy the certificate in the OS cert store, as a file or as an embedded resource within the app itself.
ETA: Since you've said that X509 certs are off the table (interested to know why) then you'd need to provide the RSAParameters to RsaSecurityKey yourself.
See here for the test data used in the Microsoft.IdentityModel.Tokens library:
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/d771b5c3ef22b7ff065e8fad1a63d6a2937b7d7f/test/Microsoft.IdentityModel.Tests/KeyingMaterial.cs
E.g.
RsaParameters_2048 = new RSAParameters { D = Base64UrlEncoder.DecodeBytes("C6EGZYf9U6RI5Z0BBoSlwy_gKumVqRx-dBMuAfPM6KVbwIUuSJKT3ExeL5P0Ky1b4p-j2S3u7Afnvrrj4HgVLnC1ks6rEOc2ne5DYQq8szST9FMutyulcsNUKLOM5cVromALPz3PAqE2OCLChTiQZ5XZ0AiH-KcG-3hKMa-g1MVnGW-SSmm27XQwRtUtFQFfxDuL0E0fyA9O9ZFBV5201ledBaLdDcPBF8cHC53Gm5G6FRX3QVpoewm3yGk28Wze_YvNl8U3hvbxei2Koc_b9wMbFxvHseLQrxvFg_2byE2em8FrxJstxgN7qhMsYcAyw1qGJY-cYX-Ab_1bBCpdcQ"), DP = Base64UrlEncoder.DecodeBytes("ErP3OpudePAY3uGFSoF16Sde69PnOra62jDEZGnPx_v3nPNpA5sr-tNc8bQP074yQl5kzSFRjRlstyW0TpBVMP0ocbD8RsN4EKsgJ1jvaSIEoP87OxduGkim49wFA0Qxf_NyrcYUnz6XSidY3lC_pF4JDJXg5bP_x0MUkQCTtQE"), DQ = Base64UrlEncoder.DecodeBytes("YbBsthPt15Pshb8rN8omyfy9D7-m4AGcKzqPERWuX8bORNyhQ5M8JtdXcu8UmTez0j188cNMJgkiN07nYLIzNT3Wg822nhtJaoKVwZWnS2ipoFlgrBgmQiKcGU43lfB5e3qVVYUebYY0zRGBM1Fzetd6Yertl5Ae2g2CakQAcPs"), Exponent = Base64UrlEncoder.DecodeBytes("AQAB"), InverseQ = Base64UrlEncoder.DecodeBytes("lbljWyVY-DD_Zuii2ifAz0jrHTMvN-YS9l_zyYyA_Scnalw23fQf5WIcZibxJJll5H0kNTIk8SCxyPzNShKGKjgpyZHsJBKgL3iAgmnwk6k8zrb_lqa0sd1QWSB-Rqiw7AqVqvNUdnIqhm-v3R8tYrxzAqkUsGcFbQYj4M5_F_4"), Modulus = Base64UrlEncoder.DecodeBytes("6-FrFkt_TByQ_L5d7or-9PVAowpswxUe3dJeYFTY0Lgq7zKI5OQ5RnSrI0T9yrfnRzE9oOdd4zmVj9txVLI-yySvinAu3yQDQou2Ga42ML_-K4Jrd5clMUPRGMbXdV5Rl9zzB0s2JoZJedua5dwoQw0GkS5Z8YAXBEzULrup06fnB5n6x5r2y1C_8Ebp5cyE4Bjs7W68rUlyIlx1lzYvakxSnhUxSsjx7u_mIdywyGfgiT3tw0FsWvki_KYurAPR1BSMXhCzzZTkMWKE8IaLkhauw5MdxojxyBVuNY-J_elq-HgJ_dZK6g7vMNvXz2_vT-SykIkzwiD9eSI9UWfsjw"), P = Base64UrlEncoder.DecodeBytes("_avCCyuo7hHlqu9Ec6R47ub_Ul_zNiS-xvkkuYwW-4lNnI66A5zMm_BOQVMnaCkBua1OmOgx7e63-jHFvG5lyrhyYEmkA2CS3kMCrI-dx0fvNMLEXInPxd4np_7GUd1_XzPZEkPxBhqf09kqryHMj_uf7UtPcrJNvFY-GNrzlJk"), Q = Base64UrlEncoder.DecodeBytes("7gvYRkpqM-SC883KImmy66eLiUrGE6G6_7Y8BS9oD4HhXcZ4rW6JJKuBzm7FlnsVhVGro9M-QQ_GSLaDoxOPQfHQq62ERt-y_lCzSsMeWHbqOMci_pbtvJknpMv4ifsQXKJ4Lnk_AlGr-5r5JR5rUHgPFzCk9dJt69ff3QhzG2c"), };讨论(0) -
Here is a simple way of using the X509 self-signed certificate.
One way to use a self-signed certificate to use for token signing with IdentityServer4 is to store the certificate with the application under the 'wwwroot' folder.
public void ConfigureServices(IServiceCollection services) { .....other code ..... var fileName = Path.Combine(env.WebRootPath, "YOUR_FileName" ); if (!File.Exists(fileName)) { throw new FileNotFoundException("Signing Certificate is missing!"); } var cert = new X509Certificate2(fileName, "Your_PassPhrase" ); services.AddIdentityServer().AddSigningCredential(cert) ...other code..... }讨论(0)
加载中...
- 热议问题