33

I'm fairly new to using encryption and rsa tokens and I'm trying to get IDentityServer4 to not use the developersigning, but one of my own. Here is what I have tried so far:

var keyInfo = new RSACryptoServiceProvider().ExportParameters(true);
var rsaSecurityKey = new RsaSecurityKey(new RSAParameters
{
    D = keyInfo.D,
    DP = keyInfo.DP,
    DQ = keyInfo.DQ,
    Exponent = keyInfo.Exponent,
    InverseQ = keyInfo.InverseQ,
    Modulus = keyInfo.Modulus,
    P = keyInfo.P,
    Q = keyInfo.Q
});

services.AddIdentityServer()
.AddSigningCredential(rsaSecurityKey)
.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddAspNetIdentity<User>();

However, when I run Identity Server4 and I get redirected to sign in page from another website, I get the following error:

IDX10630: The '[PII is hidden]' for signing cannot be smaller than '[PII is hidden]' bits. KeySize: '[PII is hidden]'. Parameter name: key.KeySize

I have to admit, I've been on this all weekend, trying to figure out how to use SigningCredentials and I'm not really sure what I've done wrong above.

Bagzli
  • 6,254
  • 17
  • 80
  • 163
  • 4
    Well, an easy fix is to just call '[PII is hidden]' followed by '[PII is hidden]', – President James K. Polk Nov 12 '18 at 03:50
  • @JamesKPolk I don't know what you mean by that – Bagzli Nov 12 '18 at 04:00
  • 2
    You can see what is hidden: https://github.com/IdentityServer/IdentityServer4/issues/2186#issuecomment-407959886 –  Nov 12 '18 at 08:22
  • Possible duplicate of [JWT SecurityTokenInvalidSignatureException using RS256 PII is hidden](https://stackoverflow.com/questions/50590432/jwt-securitytokeninvalidsignatureexception-using-rs256-pii-is-hidden) – Carlo Bos May 03 '19 at 18:49

2 Answers2

85

You can see more details in development by adding the following to Configure() in the Startup class:

if (env.IsDevelopment())
{
     IdentityModelEventSource.ShowPII = true; 
}
user1069816
  • 2,763
  • 2
  • 26
  • 43
5

For those who are having the same problem: The ShowPII configuration is set globally, it's a static property of IdentityModelEventSource and can be set in the Startup class, for example. Once I added it I could see that it was throwing a InvalidIssuer exception for token validation. For me it was related to how I was generating the JWT to communicate with my API (which is protected with Identity Server 4). I was generating the token over the url: http://localhost:5002(out side of docker-compose network) which is different them the url Identity Server issuer inside my API: http://<<docker-service-name>>. So, if you are using docker-compose and manage to use your Identity Server as a separated container inside the same docker-compose, be aware that your authentication should generate a token with IDENTICAL issuer that is used in your API.

Iuri Brindeiro
  • 143
  • 1
  • 8