2

My solution consists of three projects, which are:

  1. An ASP.NET MVC Core project that hosts the IdentityServer.
  2. An ASP.NET Core API project which is protected and manages the IdentityServer.
  3. Another ASP.NET MVC Core that calls the API.

So, the MVC client must sent on each request also an access_token to the API. If I run the solution with docker-compose command it works, but if I push/pull the images to/from the Azure repositories, I have the issue.

The error that I get is: ErrorMessage: Bearer error="invalid_token", error_description="The signature key was not found"

This is my configuation

services.AddIdentityServer()
    .AddDeveloperSigningCredential()
    .AddAspNetIdentity<ApplicationUser>()
    .AddConfigurationStore(options =>
    {
        options.ConfigureDbContext = builder =>
            builder.UseNpgsql(connectionString,
                sql => sql.MigrationsAssembly(migrationsAssembly));
    })
    .AddOperationalStore(options =>
    {
        options.ConfigureDbContext = builder =>
            builder.UseNpgsql(connectionString,
                sql => sql.MigrationsAssembly(migrationsAssembly));
        options.EnableTokenCleanup = true;
        options.TokenCleanupInterval = 30;
    });

services.AddAuthentication(IdentityServerConstants.DefaultCookieAuthenticationScheme)
    .AddIdentityServerAuthentication(options =>
    {
        options.Authority = EnvironmentReader.AuthorityUrl;
        options.ApiName = "api1";
        options.RequireHttpsMetadata = false;
    });
Bug
  • 832
  • 2
  • 9
  • 37

1 Answers1

2

This is an issue with AddDeveloperSigningCredential vs AddSigningCredential. With AddDeveloperSigningCredential every time you restart IdentityServer, the key material will change all tokens that have been signed with the previous key material will fail to validate. "Temporary" is really only for situations where you don't have other key material available.

the following is from the documentation page found here Documentation

AddDeveloperSigningCredential

Creates temporary key material at startup time. This is for dev only scenarios when you don’t have a certificate to use. The generated key will be persisted to the file system so it stays stable between server restarts (can be disabled by passing false). This addresses issues when the client/api metadata caches get out of sync during development.

VS

AddSigningCredential

Adds a signing key service that provides the specified key material to the various token creation/validation services. You can pass in either an X509Certificate2, a SigningCredential or a reference to a certificate from the certificate store.

My code:

Line from my configuration

 services.AddIdentityServer()
            .AddSigningCredential(LoadCertificate())

Extra method

private X509Certificate2 LoadCertificate()
    {
        return new X509Certificate2("../../certs/TestCertificate.pfx",
            "pass");
    }
Community
  • 1
  • 1
Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • This TestCertificate.pfx must be store in the local machine, which means in Windows 10 and Linux Server? – Bug May 29 '18 at 12:16
  • yeah pretty much. I have it on my dev machine. We run the Identity server on docker and its there as well. – Linda Lawton - DaImTo May 29 '18 at 12:17
  • One more question, where I should get this .pfx certificate? – Bug May 29 '18 at 12:18
  • https://github.com/IdentityServer/IdentityServer4/issues/949 that might help. I didnt actually create the file i inherited this project from my predecessor. but that should help – Linda Lawton - DaImTo May 29 '18 at 12:21
  • 3
    I get an error saying: Interop.Crypto.OpenSslCryptographicException: 'error:2006D080:BIO routines:BIO_new_file:no such file' The file is located in the Desktop. – Bug May 29 '18 at 14:10