Identity Server 4 - using self-signed RSA key with AddDeveloperSigningCredential in non-Development environments

rsa identityserver4 asp.net-core development-environment production-environment

I am using Identity Server 4 (.Net Core 2.2) in all of our environments (Development, Test, Production) and we have a Startup as follows

services.AddIdentityServer()
            .AddDeveloperSigningCredential()
            .AddAspNetIdentity<ApplicationUser>()
            .AddInMemoryClients(Configuration.GetSection("IdentityServer:Clients"))
            .AddConfigurationStore(Configuration.GetSection("CosmosDB"))
            .AddOperationalStore(Configuration.GetSection("CosmosDB"))
            .AddProfileService<ProfileService>();
  • this uses our temporary RSA key file generated within our Debug/Development environment (tempkey.rsa).

This is currently functioning - users are authenticated and claims processed

I realize that this is not recommended in any other environment than locally/Development however we are about to migrate from ADFS-3 to ADFS-4 which will change the architecture and hence we will no longer have a need for the above code (and potentially no need for our instance of Identity Server 4)

I also realize that there are limitations in the solution regarding

  • single/multiple instances (the same RSA key would need to be in sync across multiple instances if that were the case).
  • there is also a concern with the visibility of tempkey.rsa over the Internet - the folder it is in isn't served over the Internet

I have a few questions however regarding what will happen if the certificate at the ADFS end is updated (which may occur before we migrate) - if this happens

  • will the existing user JWT's be invalidated ?
  • I don't see anywhere where the thumbprint of the old (or potentially new) ADFS certificate is held - should it be registered somewhere ?
  • as I understand it RSA keys don't expire - is that correct ?

Solution 1:

You should never use AddDeveloperSigningCredential in production, because you might (depending on your setup) loose the key when you re-deploy and if that happens a new signing key is generated. That in turn will mean that all already issued tokens will be invalidated.

A better approach is to use the AddSigningCredential method and store the key outside IdentityServer.

When you do key-rotation, you can keep the old keys around for validating already issued tokens and you then use the AddValidationKey to add the reitred old signing keys.

see https://docs.duendesoftware.com/identityserver/v5/fundamentals/keys/

And yes, RSA-signing keys does not have any expire time, however, sometimes you wrap and transport the RSA-key inside a certificate and then you have a date/time component added.

Related

LateInitializationError: Field has not been initialized in Flutter
@RequestBody List<MultipartFile> documents integration test
error: type List does not take parameters
how to validate employee age that it must me greater than 18 before inserting record(tiried using check constraint while creating table but not work)
Flutter - Handling Life Cycle
discovery time & finishing time of Depth first search
Angular service not updating component html element
Validate hexadecimal string using regular expression
How do you use shims to map global thirdparty project to scoped object
nested unique flat in javascript
What is the OAuth2 callback URL for an ASP.Net Core Application
Remove NaN/NULL columns in a Pandas dataframe?