1. 技术文章
  2. How do I configure “key material” in Identity Server 4 to use SQL, KeyVault, or any other system?

How do I configure “key material” in Identity Server 4 to use SQL, KeyVault, or any other system?

风格不统一 提交于 2020-01-15 02:37:40

问题


The source code for ID4 asks us to "configure key material" for use in production.

I've used the following Powershell script to create keys suitable for Identity Server 4.

// (not necessary for this question, but others may find this useful)

[CmdletBinding()]
param(
    [Parameter(Mandatory=$true)][string]$password = "",
    [Parameter(Mandatory=$true)][string]$rootDomain = ""
)

#https://mcguirev10.com/2018/01/04/localhost-ssl-identityserver-certificates.html#identityserver-token-credentials
$cwd = Convert-Path .
$sCerFile = "$cwd\token_signing.cer"
$sPfxFile = "$cwd\token_signing.pfx"
$vCerFile = "$cwd\token_validation.cer"
$vPfxFile = "$cwd\token_validation.pfx"

# abort if files exist
if((Test-Path($sPfxFile)) -or (Test-Path($sCerFile)) -or (Test-Path($vPfxFile)) -or (Test-Path($vCerFile)))
{
    Write-Warning "Failed, token_signing or token_validation files already exist in current directory."
    Exit
}

function Get-NewCert ([string]$name)
{
    New-SelfSignedCertificate `
        -Subject $rootDomain `
        -DnsName $rootDomain `
        -FriendlyName $name `
        -NotBefore (Get-Date) `
        -NotAfter (Get-Date).AddYears(10) `
        -CertStoreLocation "cert:CurrentUser\My" `
        -KeyAlgorithm RSA `
        -KeyLength 4096 `
        -HashAlgorithm SHA256 `
        -KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `
        -Type Custom,DocumentEncryptionCert `
        -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
}

$securePass = ConvertTo-SecureString -String $password -Force -AsPlainText

# token signing certificate
$cert = Get-NewCert("IdentityServer Token Signing Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)  
Export-PfxCertificate -Cert $store -FilePath $sPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $sCerFile
Write-Host "Token-signing thumbprint: " $cert.Thumbprint

# token validation certificate
$cert =  Get-NewCert("IdentityServer Token Validation Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)  
Export-PfxCertificate -Cert $store -FilePath $vPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $vCerFile
Write-Host "Token-validation thumbprint: " $cert.Thumbprint

Are there any implementations, or sample implementations, that have a placeholder to clearly tell me where to implement the key fetch function, and also instruction on how to add that into the Startup.cs correctly?

I'm still trying to understand the ASP.NET Core Startup/Configuration/Kestra configuration process, and this is where I'm getting stuck.

  • How do I manage key material?
  • What object do I override, and how do I configure ID4 to use it?

回答1:


You can configure the signing key by using IIdentityServerBuilder api:

builder.AddSigningCredential(myKeyMaterial);

You've got the below available overloads for this:

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, SigningCredentials credential)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, X509Certificate2 certificate)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, string name, StoreLocation location = StoreLocation.LocalMachine, NameType nameType = NameType.SubjectDistinguishedName)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, RsaSecurityKey rsaKey)

Here is an example from one of my projects using the X509 certificate by subject name from local machine certificate store:

    private static void AddCertificateFromStore(this IIdentityServerBuilder builder,
        IConfiguration options)
    {
        var subjectName = options.GetValue<string>("SubjectName");

        var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        store.Open(OpenFlags.ReadOnly);

        var certificates = store.Certificates.Find(X509FindType.FindBySubjectName, subjectName, true);

        if (certificates.Count > 0)
        {
            builder.AddSigningCredential(certificates[0]);
        }
        else
            Log.Error("A matching key couldn't be found in the store");
    }

With such extension method, you can use it as per below (I like to use hosting environment to determine whether to add developer default signing credentials or production credentials):

        if (environment.IsDevelopment())
        {
            identityServerBuilder.AddDeveloperSigningCredential();
        }
        else
        {
            identityServerBuilder.AddCertificateFromStore(configuration);
        }


来源:https://stackoverflow.com/questions/54771718/how-do-i-configure-key-material-in-identity-server-4-to-use-sql-keyvault-or

标签
asp.net-core
identityserver4
azure-web-app-service
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!