2

I have set up an IdentityServer 4 application as per the following answer. The author has used X509Certificate2 in AddSigningCredential(cert). I used AddDeveloperSigningCredential() in development, which has created a tempkey.jwk file in my project folder.

I then tested this Identity Server 4 application with postman:

enter image description here

The above call results in the successful generation of Token. Now, I need to go into production. I have created an Azure App Service to host the Identity Server 4 application.

I have a very little understanding of Digital Certificates and Identity Server 4. I have gone through a few articles/answers but I am getting super confused. Just need to understand all of it in easy words.

My questions are:

  • How can I create the X509Certificate2 certificate, as done here?
  • How would the Client application be using this certificate?
  • Where is it being used in development mode, as I am not providing any Public Key in the Postman call?
Camilo Terevinto
  • 31,141
  • 6
  • 88
  • 120
Junaid
  • 941
  • 2
  • 14
  • 38

1 Answers1

2

How can I create the X509Certificate2 certificate?

This answer might help here: https://stackoverflow.com/a/58136780/1658906.

How would the Client application be using this certificate?

It only uses the public key from the certificate if verifying the token. Your identity provider (your IdentityServer app) uses the certificate to digitally sign the tokens. An app that wishes to verify a token issued by the identity provider can use the public key from the certificate to verify the token is valid.

Apps usually get the public key from the discovery endpoint: https://identityserver4.readthedocs.io/en/latest/endpoints/discovery.html. Getting it from there instead of hard-coding the public key is best practice since it enables key rotation more easily.

The certificate's private key needs to be kept really secure. If someone has the certificate private key, they can create any token they want, and it'll be considered valid by the applications. Meaning they could impersonate any user or elevate their permissions etc.

Where is it being used in development mode, as I am not providing any Public Key in the Postman call?

Client apps do not use it when requesting a token. Only if you want to verify if a token is valid.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • Pardon if my questions sound stupid. I have very limited knowledge of certificates. If I create the self-signed certificate, where do I store it in production? While testing on development mode, I did not find the public key of a certificate on `/.well-known/openid-configuration`. Lastly, why is `AddSigningCredential(cert)` call mandatory in production if Client apps do not use it when requesting a token? Is your answer suited to production environment? Just very confused. – Junaid Jan 08 '21 at 14:24
  • 1
    You could store it in the credential store of the Windows Server that runs the app. Ultimately it depends on where you are deploying the app. Hmm, not sure about the public key not being found there. But for example in Azure AD, the public keys are at https://login.microsoftonline.com/common/discovery/v2.0/keys. This URL is found as the "jwks_uri" at the well-known endpoint. You can read about the AddDeveloperCred function in the docs: https://docs.identityserver.io/en/release/topics/startup.html#key-material. – juunas Jan 08 '21 at 14:29
  • 1
    `AddDeveloperSigningCredential` generates a certificate which it caches on the file system. This is just not how it is done in production environments. If you ran this in a web farm, each server would get their own certificate and sign tokens with different keys. So you need to generate the certificate and make it available to the app in production. In local development environments the developer signing credential is totally fine as long as it is stable between runs, which it is. You also wouldn't be able to properly rotate the certificate with the developer credential. – juunas Jan 08 '21 at 14:32
  • Can't I store the key in wwwroot folder of the project? – Junaid Jan 08 '21 at 14:34
  • 1
    No. The wwwroot folder is typically open for download. If the certificate file includes the private key, you will be leaking it. Typically you store it in a proper key store. Storing it with source code is also not a good idea as it just adds another place where they key could leak from. – juunas Jan 08 '21 at 14:39
  • What if I store it in ContentRootPath (Project folder)? Assuming only I have access to the Project code? – Junaid Jan 08 '21 at 15:20
  • 1
    It _could_ be okay; though don't take this as official advice :) – juunas Jan 08 '21 at 16:42