15

According to the docs, IdentityServer uses an asymmetric key pair to sign and validate JWTs. One could either use AddTemporarySigningCredential() in the configuration which creates a fresh RSA every startup or use AddSigningCredential(..) with an RSA key or a certificate.

The document mentions the Temporary version is useful for Development situations but it does not tell what is the disadvantage of this when used in a production environment.

I have a aspnetcore web api in which the clients are authenticated using the IdentityServer4. The system works fine at the moment with the temporarysigningcredential but I wonder whether there is any benefit in using the other variant.

Thanks,

cellik
  • 2,116
  • 2
  • 19
  • 29

2 Answers2

26

Instead of AddTemporarySigningCredential consider to use AddDeveloperSigningCredential

From http://docs.identityserver.io/en/release/topics/startup.html#refstartupkeymaterial:

AddDeveloperSigningCredential

Same purpose as the temporary signing credential. But this version persists the key to the file system so it stays stable between server restarts. This addresses issues when the client/api metadata caches get out of sync during development.

WARNING: AddDeveloperSigningCredential can be used only when IdentityServer host is running on a SINGLE machine, for production farm you need to use AddSigningCredential.

Michael Freidgeim
  • 26,542
  • 16
  • 152
  • 170
  • 2
    AddTemporary seems to be missing in the latest Preview supporting .net core?? – Rasmus Christensen Sep 22 '17 at 08:31
  • 2
    @RasmusChristensen, correct, see https://github.com/IdentityServer/IdentityServer4/issues/1139 – Michael Freidgeim Sep 25 '17 at 22:31
  • @MichaelFreidgeim how does one set up the `.AddSigningCredential()`? – J86 Mar 23 '19 at 14:25
  • @J86, It is a separate question, that has a few answers on SO, e.g. https://stackoverflow.com/questions/48086994/identityserver4-addsignercredentials-rsa-example and https://stackoverflow.com/questions/49042474/addsigningcredential-for-identityserver4 – Michael Freidgeim Mar 24 '19 at 04:15
20

The disadvantage is, that every time you restart IdentityServer, the key material will change - or IOW - all tokens that have been signed with the previous key material will fail to validate.

"Temporary" is really only for situations where you don't have other key material available.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • Just out of curiosity, what would happen to a client who tries to authenticate using the old key material in this example? Will it simply request a new token? – Fábio Junqueira Jan 26 '17 at 18:12