IdentityServer4 的 AddSigningCredential
[英]AddSigningCredential for IdentityServer4
问题描述
We are using IdentityServer4 with .NET Core Web Application(" http://docs.identityserver.io/en/release/quickstarts/0_overview.html ").
我们将 IdentityServer4 与 .NET Core Web 应用程序一起使用(“ http://docs.identityserver.io/en/release/quickstarts/0_overview.html ”)。 We have replaced AddDeveloperSigningCredential with AddSigningCredential(CreateSigningCredential()) .我们已将AddDeveloperSigningCredential替换为AddSigningCredential(CreateSigningCredential()) 。 As we cannot use AddDeveloperSigningCredential for production environment because on production needs to be replaced by some persistent key material.因为我们不能将AddDeveloperSigningCredential用于生产环境,因为在生产环境中需要用一些持久性密钥材料替换。 We are new to IdentityServer4 and our question is that, Is following approach fine to create signing credentials on production environment?我们是 IdentityServer4 的新手,我们的问题是,以下方法是否可以在生产环境中创建签名凭据? Or do we need to made some changes in this?或者我们需要在这方面做一些改变吗?
Here is our startup.cs file:这是我们的 startup.cs 文件:
public void ConfigureServices(IServiceCollection services)
{
services.AddSingleton<IConfiguration>(Configuration);
//connection string
string connectionString = Configuration.GetConnectionString("IdentityServer");
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
services.AddIdentityServer().AddDeveloperSigningCredential
.AddSigningCredential(CreateSigningCredential())
// this adds the config data from DB (clients, resources)
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
}) // this adds the operational data from DB (codes, tokens, consents)
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
// this enables automatic token cleanup. this is optional.
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30;
});
}
private SigningCredentials CreateSigningCredential()
{
var credentials = new SigningCredentials(GetSecurityKey(), SecurityAlgorithms.RsaSha256Signature);
return credentials;
}
private RSACryptoServiceProvider GetRSACryptoServiceProvider()
{
return new RSACryptoServiceProvider(2048);
}
private SecurityKey GetSecurityKey()
{
return new RsaSecurityKey(GetRSACryptoServiceProvider());
}
3 个解决方案
解决方案1
10 2019-08-11 13:20:03
Here is a gist that should help for Ids4 with asp.net core 2.x.这是一个应该对带有 asp.net core 2.x 的 Ids4 有所帮助的要点。
It contains an RsaKeyService class that can be injected into the service provider like:它包含一个RsaKeyService类,可以像这样注入到服务提供者中:
var rsa = new RsaKeyService(Environment, TimeSpan.FromDays(30));
services.AddTransient<RsaKeyService>(provider => rsa);
This makes sure, that an RSA key is used for 30 days at most, before a new one is re-generated.这可确保在重新生成新密钥之前,RSA 密钥最多使用 30 天。
To use the key, you can call rsa.GetKey() , and to register as a signing credential, use:要使用密钥,您可以调用rsa.GetKey() ,并注册为签名凭证,请使用:
builder.AddSigningCredential(rsa.GetKey());
解决方案2
7 2018-03-02 21:33:00
Here is a simple way of using the X509 self-signed certificate.这是使用 X509 自签名证书的简单方法。
One way to use a self-signed certificate to use for token signing with IdentityServer4 is to store the certificate with the application under the 'wwwroot' folder.使用自签名证书以使用 IdentityServer4 进行令牌签名的一种方法是将证书与应用程序一起存储在“wwwroot”文件夹下。
public void ConfigureServices(IServiceCollection services)
{
.....other code .....
var fileName = Path.Combine(env.WebRootPath, "YOUR_FileName" );
if (!File.Exists(fileName))
{
throw new FileNotFoundException("Signing Certificate is missing!");
}
var cert = new X509Certificate2(fileName, "Your_PassPhrase" );
services.AddIdentityServer().AddSigningCredential(cert)
...other code.....
}
解决方案3
2 2018-03-01 08:46:43
I don't see anything persistent being loaded here so I'd have to say no, this is not suitable.我没有看到任何持久的加载在这里所以我不得不说不,这不合适。 I provided an example of loading a certificate here:我在这里提供了一个加载证书的例子:
How we can replace AddDeveloperSigningCredential on AWS Serverless Lambda environment? 我们如何在 AWS Serverless Lambda 环境中替换 AddDeveloperSigningCredential?
I suggest following that approach.我建议遵循这种方法。 You can deploy the certificate in the OS cert store, as a file or as an embedded resource within the app itself.您可以将证书部署在操作系统证书存储中,作为文件或作为应用程序本身内的嵌入资源。
ETA: Since you've said that X509 certs are off the table (interested to know why) then you'd need to provide the RSAParameters to RsaSecurityKey yourself. ETA:既然您已经说过 X509 证书不在讨论范围内(有兴趣知道原因),那么您需要自己向 RsaSecurityKey 提供 RSAParameters。
See here for the test data used in the Microsoft.IdentityModel.Tokens library:有关 Microsoft.IdentityModel.Tokens 库中使用的测试数据,请参见此处:
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/d771b5c3ef22b7ff065e8fad1a63d6a2937b7d7f/test/Microsoft.IdentityModel.Tests/KeyingMaterial.cs https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/d771b5c3ef22b7ff065e8fad1a63d6a2937b7d7f/test/Microsoft.IdentityModel.Tests/KeyingMaterial.cs
Eg例如
RsaParameters_2048 = new RSAParameters
{
D = Base64UrlEncoder.DecodeBytes("C6EGZYf9U6RI5Z0BBoSlwy_gKumVqRx-dBMuAfPM6KVbwIUuSJKT3ExeL5P0Ky1b4p-j2S3u7Afnvrrj4HgVLnC1ks6rEOc2ne5DYQq8szST9FMutyulcsNUKLOM5cVromALPz3PAqE2OCLChTiQZ5XZ0AiH-KcG-3hKMa-g1MVnGW-SSmm27XQwRtUtFQFfxDuL0E0fyA9O9ZFBV5201ledBaLdDcPBF8cHC53Gm5G6FRX3QVpoewm3yGk28Wze_YvNl8U3hvbxei2Koc_b9wMbFxvHseLQrxvFg_2byE2em8FrxJstxgN7qhMsYcAyw1qGJY-cYX-Ab_1bBCpdcQ"),
DP = Base64UrlEncoder.DecodeBytes("ErP3OpudePAY3uGFSoF16Sde69PnOra62jDEZGnPx_v3nPNpA5sr-tNc8bQP074yQl5kzSFRjRlstyW0TpBVMP0ocbD8RsN4EKsgJ1jvaSIEoP87OxduGkim49wFA0Qxf_NyrcYUnz6XSidY3lC_pF4JDJXg5bP_x0MUkQCTtQE"),
DQ = Base64UrlEncoder.DecodeBytes("YbBsthPt15Pshb8rN8omyfy9D7-m4AGcKzqPERWuX8bORNyhQ5M8JtdXcu8UmTez0j188cNMJgkiN07nYLIzNT3Wg822nhtJaoKVwZWnS2ipoFlgrBgmQiKcGU43lfB5e3qVVYUebYY0zRGBM1Fzetd6Yertl5Ae2g2CakQAcPs"),
Exponent = Base64UrlEncoder.DecodeBytes("AQAB"),
InverseQ = Base64UrlEncoder.DecodeBytes("lbljWyVY-DD_Zuii2ifAz0jrHTMvN-YS9l_zyYyA_Scnalw23fQf5WIcZibxJJll5H0kNTIk8SCxyPzNShKGKjgpyZHsJBKgL3iAgmnwk6k8zrb_lqa0sd1QWSB-Rqiw7AqVqvNUdnIqhm-v3R8tYrxzAqkUsGcFbQYj4M5_F_4"),
Modulus = Base64UrlEncoder.DecodeBytes("6-FrFkt_TByQ_L5d7or-9PVAowpswxUe3dJeYFTY0Lgq7zKI5OQ5RnSrI0T9yrfnRzE9oOdd4zmVj9txVLI-yySvinAu3yQDQou2Ga42ML_-K4Jrd5clMUPRGMbXdV5Rl9zzB0s2JoZJedua5dwoQw0GkS5Z8YAXBEzULrup06fnB5n6x5r2y1C_8Ebp5cyE4Bjs7W68rUlyIlx1lzYvakxSnhUxSsjx7u_mIdywyGfgiT3tw0FsWvki_KYurAPR1BSMXhCzzZTkMWKE8IaLkhauw5MdxojxyBVuNY-J_elq-HgJ_dZK6g7vMNvXz2_vT-SykIkzwiD9eSI9UWfsjw"),
P = Base64UrlEncoder.DecodeBytes("_avCCyuo7hHlqu9Ec6R47ub_Ul_zNiS-xvkkuYwW-4lNnI66A5zMm_BOQVMnaCkBua1OmOgx7e63-jHFvG5lyrhyYEmkA2CS3kMCrI-dx0fvNMLEXInPxd4np_7GUd1_XzPZEkPxBhqf09kqryHMj_uf7UtPcrJNvFY-GNrzlJk"),
Q = Base64UrlEncoder.DecodeBytes("7gvYRkpqM-SC883KImmy66eLiUrGE6G6_7Y8BS9oD4HhXcZ4rW6JJKuBzm7FlnsVhVGro9M-QQ_GSLaDoxOPQfHQq62ERt-y_lCzSsMeWHbqOMci_pbtvJknpMv4ifsQXKJ4Lnk_AlGr-5r5JR5rUHgPFzCk9dJt69ff3QhzG2c"),
};
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.