Geek Answers Handbook

AddTemporarySigningCredential vs AddSigningCredential in IdentityServer4

According to the docs, IdentityServer uses an asymmetric key pair to sign and verify JWT. You can either use AddTemporarySigningCredential() in a configuration that creates a new RSA each time it starts, or use AddSigningCredential(..) with an RSA key or certificate.

The document mentions that the temporary version is useful for development situations, but it does not mean that this is a drawback when used in a production environment.

I have an aspnetcore web api in which clients authenticate using IdentityServer4. Currently, the system works great with temporarily assigning an attribute, but I'm wondering if there is any benefit in using another option.

Thanks,

+7
identityserver4
source share
2 answers

The downside is that every time you restart IdentityServer, the key material will change - or IOW - all tokens that were signed with the previous key material will not be confirmed.

“Temporary” is really only for situations where you do not have other key materials available.

+12
source share

Instead of AddTemporarySigningCredential, consider using AddDeveloperSigningCredential

From http://docs.identityserver.io/en/release/topics/startup.html#refstartupkeymaterial :

AddDeveloperSigningCredential

Same purpose as temporary signatures. But this version retains the key to the file system, so it remains stable between the server restarts. This fixes problems when caching client / api metadata, exit synchronization during development.

WARNING: AddDeveloperSigningCredential can only be used when the IdentityServer host is running on a SINGLE machine, for the production farm you need to use AddSigningCredential .

+8
source share

More articles:


All Articles