IdentityServer4中的AddTemporarySigningCredential与AddSigningCredential [英] AddTemporarySigningCredential vs AddSigningCredential in IdentityServer4

问题描述

根据文档，IdentityServer使用非对称密钥对来签名和验证JWT. 可以在每次启动时创建新RSA的配置中使用AddTemporarySigningCredential()，也可以使用具有RSA密钥或证书的AddSigningCredential(..).

According to the docs, IdentityServer uses an asymmetric key pair to sign and validate JWTs. One could either use AddTemporarySigningCredential() in the configuration which creates a fresh RSA every startup or use AddSigningCredential(..) with an RSA key or a certificate.

文档中提到临时版本对于开发情况很有用，但是并没有说明在生产环境中使用此版本的不利之处.

The document mentions the Temporary version is useful for Development situations but it does not tell what is the disadvantage of this when used in a production environment.

我有一个aspnetcore Web API，其中使用IdentityServer4对客户端进行身份验证.该系统目前可以使用临时签名凭据正常运行，但我想知道使用其他变体是否有任何好处.

I have a aspnetcore web api in which the clients are authenticated using the IdentityServer4. The system works fine at the moment with the temporarysigningcredential but I wonder whether there is any benefit in using the other variant.

谢谢

推荐答案

缺点是，每次重新启动IdentityServer时，密钥材料都会更改-或IOW-用先前的密钥材料签名的所有令牌都会失败.进行验证.

The disadvantage is, that every time you restart IdentityServer, the key material will change - or IOW - all tokens that have been signed with the previous key material will fail to validate.

临时"实际上仅适用于您没有其他可用关键材料的情况.

"Temporary" is really only for situations where you don't have other key material available.

这篇关于IdentityServer4中的AddTemporarySigningCredential与AddSigningCredential的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！