Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Use of AddSigningCredential(cert) in Identity Server 4

Tags:

asp.net-core

identityserver4

x509certificate2

I have set up an IdentityServer 4 application as per the following answer. The author has used X509Certificate2 in AddSigningCredential(cert). I used AddDeveloperSigningCredential() in development, which has created a tempkey.jwk file in my project folder.

I then tested this Identity Server 4 application with postman:

enter image description here

The above call results in the successful generation of Token. Now, I need to go into production. I have created an Azure App Service to host the Identity Server 4 application.

I have a very little understanding of Digital Certificates and Identity Server 4. I have gone through a few articles/answers but I am getting super confused. Just need to understand all of it in easy words.

My questions are:

  • How can I create the X509Certificate2 certificate, as done here?
  • How would the Client application be using this certificate?
  • Where is it being used in development mode, as I am not providing any Public Key in the Postman call?
like image 302
Junaid Avatar asked Nov 01 '25 22:11

Junaid

1 Answers

How can I create the X509Certificate2 certificate?

This answer might help here: https://stackoverflow.com/a/58136780/1658906.

How would the Client application be using this certificate?

It only uses the public key from the certificate if verifying the token. Your identity provider (your IdentityServer app) uses the certificate to digitally sign the tokens. An app that wishes to verify a token issued by the identity provider can use the public key from the certificate to verify the token is valid.

Apps usually get the public key from the discovery endpoint: https://identityserver4.readthedocs.io/en/latest/endpoints/discovery.html. Getting it from there instead of hard-coding the public key is best practice since it enables key rotation more easily.

The certificate's private key needs to be kept really secure. If someone has the certificate private key, they can create any token they want, and it'll be considered valid by the applications. Meaning they could impersonate any user or elevate their permissions etc.

Where is it being used in development mode, as I am not providing any Public Key in the Postman call?

Client apps do not use it when requesting a token. Only if you want to verify if a token is valid.

like image 108
juunas Avatar answered Nov 04 '25 01:11

juunas
Sign in to Comment

Related questions

ASP.NET Core Error: The JSON value could not be converted to System.String [duplicate]
How to convert `Configuration.GetSection` from .NET Core 5 to .NET Core 6?
What's the conventional way to use `IHttpClientFactory` in F#?
AspNet Core Serilog SQL custom column not working
.NET 6 (Core) EF - Conditional Unique constraint?
DbContext Dependency Injection outside of MVC project
EF Core - Do SQLServer migrations apply to SQLite?
Add swagger parameters for unbound parameters in ASP.NET Core
One To Many returns empty array
Is it possible in ASP.NET Core to enable XmlSerialization for a single controller
Is is possible to set the "aspNetCore requestTimeout" value.........via "code" with Kestrel?
Is there any way to use IHostingEnvironment in .net core class library?
Net Core API: Make ProducesResponseType Global Parameter or Automate
Why there is a dependency to install NodeJs for a .Net core web application which uses angular template?
ASP.NET Core 3.1 "'User' does not contain a definition for 'FindFirstValue'"
HTTPS not working with Kestrel 3.2.187/ASPNET Core 2.1.5 running on the Service Fabric with a custom domain
How to turn off Microsoft Logs in AspNetCore 2.2 NLog
Swashbuckle: Polymorphism not working with external nuget package
Azure Feature Management on startup

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!