AddSigningCredential for IdentityServer4

c# identityserver4
Rakesh Kumar picture Rakesh Kumar · Mar 1, 2018 · Viewed 19.7k times · Source

We are using IdentityServer4 with .NET Core Web Application("http://docs.identityserver.io/en/release/quickstarts/0_overview.html"). We have replaced AddDeveloperSigningCredential with AddSigningCredential(CreateSigningCredential()). As we cannot use AddDeveloperSigningCredential for production environment because on production needs to be replaced by some persistent key material. We are new to IdentityServer4 and our question is that, Is following approach fine to create signing credentials on production environment? Or do we need to made some changes in this?

Here is our startup.cs file:

public void ConfigureServices(IServiceCollection services)
{
    services.AddSingleton<IConfiguration>(Configuration);

    //connection string
    string connectionString = Configuration.GetConnectionString("IdentityServer");

    var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;

    services.AddIdentityServer().AddDeveloperSigningCredential
    .AddSigningCredential(CreateSigningCredential())
    // this adds the config data from DB (clients, resources)
    .AddConfigurationStore(options =>
    {
        options.ConfigureDbContext = builder =>
        builder.UseSqlServer(connectionString,
            sql => sql.MigrationsAssembly(migrationsAssembly));
                }) // this adds the operational data from DB (codes, tokens, consents)
    .AddOperationalStore(options =>
    {
        options.ConfigureDbContext = builder =>
        builder.UseSqlServer(connectionString,
            sql => sql.MigrationsAssembly(migrationsAssembly));

        // this enables automatic token cleanup. this is optional.
        options.EnableTokenCleanup = true;
        options.TokenCleanupInterval = 30;
        });
}

private SigningCredentials CreateSigningCredential()
{
    var credentials = new SigningCredentials(GetSecurityKey(), SecurityAlgorithms.RsaSha256Signature);

    return credentials;
}
private RSACryptoServiceProvider GetRSACryptoServiceProvider()
{
    return new RSACryptoServiceProvider(2048);
}
private SecurityKey GetSecurityKey()
{
    return new RsaSecurityKey(GetRSACryptoServiceProvider());
}

Answer

mykeels picture mykeels · Aug 11, 2019

Here is a gist that should help for Ids4 with asp.net core 2.x.

It contains an RsaKeyService class that can be injected into the service provider like:

var rsa = new RsaKeyService(Environment, TimeSpan.FromDays(30));
services.AddTransient<RsaKeyService>(provider => rsa);

This makes sure, that an RSA key is used for 30 days at most, before a new one is re-generated.

To use the key, you can call rsa.GetKey(), and to register as a signing credential, use:

builder.AddSigningCredential(rsa.GetKey());

Related questions

IdentityServer4 register UserService and get users from database in asp.net core

I've searched all over on how to register a UserService with IdentityServer4 in asp.net core, but I cant seem to find the right way to do it. This is the code to register InMemoryUsers found here, however I would …

Read More
How to add custom claims to access token in IdentityServer4?

I am using IdentityServer4. I want to add other custom claims to access token but I'm unable to do this. I have modified Quickstart5 and added ASP.NET Identity Core and the custom claims via ProfileService as suggested by Coemgen …

Read More
Identity Server 4: adding claims to access token

I am using Identity Server 4 and Implicit Flow and want to add some claims to the access token, the new claims or attributes are "tenantId" and "langId". I have added langId as one of my scopes as below and then …

Read More