Identity Server 4 - using self-signed RSA key with AddDeveloperSigningCredential in non-Development environments
I am using Identity Server 4 (.Net Core 2.2) in all of our environments (Development, Test, Production) and we have a Startup as follows
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddAspNetIdentity<ApplicationUser>()
.AddInMemoryClients(Configuration.GetSection("IdentityServer:Clients"))
.AddConfigurationStore(Configuration.GetSection("CosmosDB"))
.AddOperationalStore(Configuration.GetSection("CosmosDB"))
.AddProfileService<ProfileService>();
- this uses our temporary RSA key file generated within our Debug/Development environment (tempkey.rsa).
This is currently functioning - users are authenticated and claims processed
I realize that this is not recommended in any other environment than locally/Development however we are about to migrate from ADFS-3 to ADFS-4 which will change the architecture and hence we will no longer have a need for the above code (and potentially no need for our instance of Identity Server 4)
I also realize that there are limitations in the solution regarding
- single/multiple instances (the same RSA key would need to be in sync across multiple instances if that were the case).
- there is also a concern with the visibility of tempkey.rsa over the Internet - the folder it is in isn't served over the Internet
I have a few questions however regarding what will happen if the certificate at the ADFS end is updated (which may occur before we migrate) - if this happens
- will the existing user JWT's be invalidated ?
- I don't see anywhere where the thumbprint of the old (or potentially new) ADFS certificate is held - should it be registered somewhere ?
- as I understand it RSA keys don't expire - is that correct ?
Solution 1:
You should never use AddDeveloperSigningCredential in production, because you might (depending on your setup) loose the key when you re-deploy and if that happens a new signing key is generated. That in turn will mean that all already issued tokens will be invalidated.
A better approach is to use the AddSigningCredential method and store the key outside IdentityServer.
When you do key-rotation, you can keep the old keys around for validating already issued tokens and you then use the AddValidationKey to add the reitred old signing keys.
see https://docs.duendesoftware.com/identityserver/v5/fundamentals/keys/
And yes, RSA-signing keys does not have any expire time, however, sometimes you wrap and transport the RSA-key inside a certificate and then you have a date/time component added.