问题
I'm currently trying to build an single sign-on Server for a couple of clients to use. Because I don't exactly know, how many clients that will be, I planned to make it so I can add clients at runtime using the EntityFramework Configuration Store.
My problem is now how to set the client secrets. I tried generating a new GUID and using that as a secret. The problem now is, that the Configuration Store just wants to save the hashed version of the secret and I would need to access the plain secret to add it to the actual client application.
I assume that this is on purpose and that it is discouraged to save the plain version of the secret? What would be the go-to solution for saving secrets?
回答1:
Use following algorithm to generate sha256 hash. This is the same algorithm used in IdentityServer4.Models.HashExtensions class.
using System.Security.Cryptography;
static class Extentions
{
public static string Sha256(this string input)
{
using (SHA256 shA256 = SHA256.Create())
{
byte[] bytes = Encoding.UTF8.GetBytes(input);
return Convert.ToBase64String(((HashAlgorithm)shA256).ComputeHash(bytes));
}
}
}
void Main()
{
Console.WriteLine( "secret-as-guid".Sha256());
}
回答2:
You should not store the client secret in plain text.
Always assume that your configuration database gets compromised - and then those secrets can be used to impersonate your clients.
This might be slightly inconvenient for you - but it is a best practice (and also in-line with how other token services deal with that).
If you have other means of protecting the secret at rest - you can add the the plain text based secret validator to DI
https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Validation/PlainTextSharedSecretValidator.cs
来源:https://stackoverflow.com/questions/44001798/identityserver4-storing-client-secrets