According to the docs, IdentityServer uses an asymmetric key pair to sign and validate JWTs.
One could either use AddTemporarySigningCredential()
in the configuration which creates a fresh RSA every startup or use AddSigningCredential(..)
with an RSA key or a certificate.
The document mentions the Temporary version is useful for Development situations but it does not tell what is the disadvantage of this when used in a production environment.
I have a aspnetcore web api in which the clients are authenticated using the IdentityServer4. The system works fine at the moment with the temporarysigningcredential but I wonder whether there is any benefit in using the other variant.
Thanks,
Instead of AddTemporarySigningCredential consider to use AddDeveloperSigningCredential
From http://docs.identityserver.io/en/release/topics/startup.html#refstartupkeymaterial:
AddDeveloperSigningCredential
Same purpose as the temporary signing credential. But this version persists the key to the file system so it stays stable between server restarts. This addresses issues when the client/api metadata caches get out of sync during development.
WARNING: AddDeveloperSigningCredential can be used only when IdentityServer host is running on a SINGLE machine, for production farm you need to use AddSigningCredential.