What is the Signing Credential in IdentityServer4?

Shaul Zuarets picture Shaul Zuarets · Sep 10, 2017 · Viewed 20.6k times · Source

We are in the process of implementing Identity Server 4 with our .NET Core web app.

I went trough the Identity Server documentation. When configuring the Identity server (using DI) there is the line:

.AddTemporarySigningCredential

I'm trying to understand what this Signing credential is but couldn't figure out. Therefore I don't know if it's ok to use the built in temporary, or if I should provide a different one.

My question is, what is a signing credential and how should I use it?

In the Identity server documentation this is the definition:

Adds a signing key service that provides the specified key material to the various token creation/validation services. You can pass in either an X509Certificate2, a SigningCredential or a reference to a certificate from the certificate store.

So it seems important :)

Answer

Jeroen picture Jeroen · Sep 10, 2017

The Authorization Server will sign tokens with a key. Resource Server(s) should verify that the token's integrity with a key. Together they form a (usually asymmetric, e.g. public/private) key (pair). By default IdentityServer will publish the public key for verifying tokens via the /.well-known/openid-configuration endpoint.

For development scenarios, you typically want to skip the fuss of properly managing secrets like said keys (which is really important to do properly in production!). For these development scenarios you have the option of using adhoc solutions like AddTemporarySigningCredential, which was used for .NET Core 1.x.

With .NET Core 2.x this will change and you will need the AddDeveloperSigningCredential() extension method.

That answers the question of what it is. On how to use it: you simply call the method you need depending on your .NET Core version inside the ConfigureServices(...) method of your application's Startup class.

Apart from that you don't need to do anything special, except of course take care that you use a proper key pair in production.

See also the docs on Cryptography, Keys and HTTPS and the bit on Configuring Services for Keys. From the latter document, here's a relevant alternative for production cases:

  • AddSigningCredential

    Adds a signing key service that provides the specified key material to the various token creation/validation services. You can pass in either an X509Certificate2, a SigningCredential or a reference to a certificate from the certificate store.