IdentityServer4的AddSigningCredential [英] AddSigningCredential for IdentityServer4

问题描述

我们正在将IdentityServer4与.NET Core Web应用程序一起使用(" http://docs.identityserver.io/en/release/quickstarts/0_overview.html ).我们已将AddDeveloperSigningCredential替换为AddSigningCredential(CreateSigningCredential()).因为我们不能在生产环境中使用AddDeveloperSigningCredential，因为在生产中需要用一些持久的密钥材料代替.我们是IdentityServer4的新手，我们的问题是，以下方法可以在生产环境中创建签名凭证吗?还是我们需要对此进行一些更改?

We are using IdentityServer4 with .NET Core Web Application("http://docs.identityserver.io/en/release/quickstarts/0_overview.html"). We have replaced AddDeveloperSigningCredential with AddSigningCredential(CreateSigningCredential()). As we cannot use AddDeveloperSigningCredential for production environment because on production needs to be replaced by some persistent key material. We are new to IdentityServer4 and our question is that, Is following approach fine to create signing credentials on production environment? Or do we need to made some changes in this?

这是我们的startup.cs文件:

Here is our startup.cs file:

public void ConfigureServices(IServiceCollection services)
{
    services.AddSingleton<IConfiguration>(Configuration);

    //connection string
    string connectionString = Configuration.GetConnectionString("IdentityServer");

    var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;

    services.AddIdentityServer().AddDeveloperSigningCredential
    .AddSigningCredential(CreateSigningCredential())
    // this adds the config data from DB (clients, resources)
    .AddConfigurationStore(options =>
    {
        options.ConfigureDbContext = builder =>
        builder.UseSqlServer(connectionString,
            sql => sql.MigrationsAssembly(migrationsAssembly));
                }) // this adds the operational data from DB (codes, tokens, consents)
    .AddOperationalStore(options =>
    {
        options.ConfigureDbContext = builder =>
        builder.UseSqlServer(connectionString,
            sql => sql.MigrationsAssembly(migrationsAssembly));

        // this enables automatic token cleanup. this is optional.
        options.EnableTokenCleanup = true;
        options.TokenCleanupInterval = 30;
        });
}

private SigningCredentials CreateSigningCredential()
{
    var credentials = new SigningCredentials(GetSecurityKey(), SecurityAlgorithms.RsaSha256Signature);

    return credentials;
}
private RSACryptoServiceProvider GetRSACryptoServiceProvider()
{
    return new RSACryptoServiceProvider(2048);
}
private SecurityKey GetSecurityKey()
{
    return new RsaSecurityKey(GetRSACryptoServiceProvider());
}

推荐答案

这是 gist 应该对使用asp.net core 2.x的Ids4有所帮助.

Here is a gist that should help for Ids4 with asp.net core 2.x.

它包含一个RsaKeyService类，可以将其注入到服务提供者中，例如:

It contains an RsaKeyService class that can be injected into the service provider like:

var rsa = new RsaKeyService(Environment, TimeSpan.FromDays(30));
services.AddTransient<RsaKeyService>(provider => rsa);

这可以确保在重新生成新密钥之前，最多只能使用30天RSA密钥.

This makes sure, that an RSA key is used for 30 days at most, before a new one is re-generated.

要使用密钥，可以调用rsa.GetKey()，并使用以下命令注册为签名凭证:

To use the key, you can call rsa.GetKey(), and to register as a signing credential, use:

builder.AddSigningCredential(rsa.GetKey());

这篇关于IdentityServer4的AddSigningCredential的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！