35

We are in the process of implementing Identity Server 4 with our .NET Core web app.

I went trough the Identity Server documentation. When configuring the Identity server (using DI) there is the line:

.AddTemporarySigningCredential

I'm trying to understand what this Signing credential is but couldn't figure out. Therefore I don't know if it's ok to use the built in temporary, or if I should provide a different one.

My question is, what is a signing credential and how should I use it?

In the Identity server documentation this is the definition:

Adds a signing key service that provides the specified key material to the various token creation/validation services. You can pass in either an X509Certificate2, a SigningCredential or a reference to a certificate from the certificate store.

So it seems important :)

Jeroen
  • 60,696
  • 40
  • 206
  • 339
Shaul Zuarets
  • 839
  • 2
  • 10
  • 20

1 Answers1

54

The Authorization Server will sign tokens with a key. Resource Server(s) should verify that the token's integrity with a key. Together they form a (usually asymmetric, e.g. public/private) key (pair). By default IdentityServer will publish the public key for verifying tokens via the /.well-known/openid-configuration endpoint.

For development scenarios, you typically want to skip the fuss of properly managing secrets like said keys (which is really important to do properly in production!). For these development scenarios you have the option of using adhoc solutions like AddTemporarySigningCredential, which was used for .NET Core 1.x.

With .NET Core 2.x this will change and you will need the AddDeveloperSigningCredential() extension method.

That answers the question of what it is. On how to use it: you simply call the method you need depending on your .NET Core version inside the ConfigureServices(...) method of your application's Startup class.

Apart from that you don't need to do anything special, except of course take care that you use a proper key pair in production.

See also the docs on Cryptography, Keys and HTTPS and the bit on Configuring Services for Keys. From the latter document, here's a relevant alternative for production cases:

  • AddSigningCredential

    Adds a signing key service that provides the specified key material to the various token creation/validation services. You can pass in either an X509Certificate2, a SigningCredential or a reference to a certificate from the certificate store.

Jeroen
  • 60,696
  • 40
  • 206
  • 339
  • thanks. I read the breaking changes doc. I didn't understand what should I use in production? – Shaul Zuarets Sep 11 '17 at 07:56
  • 1
    Oh right! You can use `AddSigningCredential(...)`, see [these docs](http://docs.identityserver.io/en/release/topics/startup.html?highlight=x509#configuring-services). Updated my answer a bit. – Jeroen Sep 11 '17 at 08:16
  • It's probably because I don't understand everything as I should. How do I create a key for AddSigningCredential? – Shaul Zuarets Sep 11 '17 at 14:37
  • 2
    Creating and managing certificates (especially ones like x509 certs) is a whole topic on its own. The IdentityServer docs seem vague about that topic, perhaps purposely so (because it's seen as a separate concern). I'm no expert either, but I think you can use a tool of your choice to create a self-signed x509 certificate, because all that matters is that you get a good pub/private key pair with enough entropy. – Jeroen Sep 11 '17 at 15:53
  • @Jeroen, what did you mean with "By default IdentityServer will publish the public key for verifying tokens on the /.well-known/openid-configuration endpoint."? For me this route dosen't show this information. – Cassio Farias Machado Feb 21 '18 at 12:41
  • 2
    @CassioFariasMachado Hmmm weird. I was talking about [the Discovery Endpoint](http://docs.identityserver.io/en/release/endpoints/discovery.html), which IIRC should be enabled by default. The response should be similar to [the demo server response](https://demo.identityserver.io/.well-known/openid-configuration). Ifou're not getting that endpoint I suggest asking a new question with steps to reproduce your scenario. – Jeroen Feb 21 '18 at 13:48
  • @Jeroen, It's my mistake, I have access to this too. I was trying to authorize a Node api by the Identity Server and I was with problems to authorize my aplication to validate the tokens. For resume, I did this using the route `/.well-known/openid-configuration/jwks` for get public key and validate the tokens. – Cassio Farias Machado Mar 05 '18 at 13:14