1

I understand very well the purpose of certificates: both in a general case and in the specific usage for token creation under IDS. When I wire up my IDP like this:

services.AddIdentityServer()
  .AddConfigurationStore(Delegates.ConfigOptions(config))
  .AddOperationalStore(Delegates.OperationOptions(config))
  .AddSigningCredential(new X509Certificate2(path, pass));

or this:

services.AddIdentityServer()
  .AddConfigurationStore(Delegates.ConfigOptions(config))
  .AddOperationalStore(Delegates.OperationOptions(config))
  .AddDeveloperSigningCredential();

I get it to work (both dev creds and sign creds work). Accidentally, I commented out both of them, effectively applying the following config.

services.AddIdentityServer()
  .AddConfigurationStore(Delegates.ConfigOptions(config))
  .AddOperationalStore(Delegates.OperationOptions(config));

I had been expecting no tokens, invalid tokens, crashes, exceptions and what not. Instead, everything works smoothly and I see no evident problems.

Now, that can't be right, obviously. What am I missing and what bad thing have I caused by omitting the credentials to be present?!

Konrad Viltersten
  • 36,151
  • 76
  • 250
  • 438
  • When you make a HTTPS request (secure) TLS is used with a certificate. TLS establish a common key for encryption and is performed before the HTTPS Request is sent. Then a connection is made a you have to pass credentials which user info like username and group. You are also signing the body of the message which also uses a certificate. A certificate contains an encryption key and can be used in lots of different applications. In your case you have two different certificates. One for TLS and the other for signing a body of a message. – jdweng Feb 18 '23 at 19:37
  • Se following : https://identityserver4.readthedocs.io/en/latest/topics/startup.html – jdweng Feb 18 '23 at 19:41
  • @jdweng Maybe I'm missing the point, in which case, my apologies. I'm reading the comment (and even re-read the page you linked to, as I've seen it before asking, not getting any wiser). Still, I can't see how that addresses my question - everything seems to work well despite **not having** any signing (be that the dev creds nor PFX file). Obviously, it's not recommended security-wise. But where/how exactly does that mistake come into effect? – Konrad Viltersten Feb 19 '23 at 14:14
  • You code is using : AddSigningCredential(). Which is added to text body after the connection is established. So the certificate is not TLS. TLS is used to make an encrypted connection. If TLS fails than you will never connect. A signing certificate is used to make sure nobody tampers with the data. Some applications do a check to make sure the text is signed. If you app does not check the signing data than code will work with or without the signature. – jdweng Feb 19 '23 at 14:28

1 Answers1

1

What happens, I think, is that the built-in automatic key manager kicks in and generates the keys for you.

You can verify this because this module creates a subfolder in ~/keys directory.

See the documentation here about the Automatic Key Management.

It can be disabled here:

AddSigningCredential is used to add a custom signing key and AddDeveloperSigningCredential is used to let IdentityServer generate a test key for development.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • Oh, you are correct! There's actually a folder called *keys*, which I haven't noticed. In fact, I haven't seen that folder ever before, despite working with IDS since quite a few years... (I always relied on either dev-creds locally and file-cert on server.) I'll try to turn it off and see if something stops performing as expected. What's your gut telling you regarding which one to use - file-cert or keys-gen? – Konrad Viltersten Feb 19 '23 at 14:18
  • Which one to choose depends on if you need key rotation, if you want to manage that yourself, or if you want the newer Automatic Key Management module to manage it for you. But most important, AddDeveloperSigningCredential is only used for development. – Tore Nestenius Feb 19 '23 at 14:35
  • With key rotation, I mean if you want to "replace" the signing keys on a regular basis. – Tore Nestenius Feb 19 '23 at 14:39