问题描述

我们正在使用.NET Core Web应用程序实施Identity Server 4.

We are in the process of implementing Identity Server 4 with our .NET Core web app.

我仔细阅读了Identity Server文档.配置身份服务器(使用DI)时，有以下行:

I went trough the Identity Server documentation. When configuring the Identity server (using DI) there is the line:

.AddTemporarySigningCredential

我正在尝试了解此签名凭证是什么，但无法弄清楚.因此，我不知道是否可以使用内置的临时文件，还是应该提供其他临时文件.

I'm trying to understand what this Signing credential is but couldn't figure out. Therefore I don't know if it's ok to use the built in temporary, or if I should provide a different one.

我的问题是，什么是签名凭证，我应该如何使用它?

My question is, what is a signing credential and how should I use it?

在身份服务器文档中，这是定义:

In the Identity server documentation this is the definition:

所以这似乎很重要:)

推荐答案

授权服务器将使用密钥对令牌进行签名.资源服务器应使用密钥验证令牌的完整性.它们共同形成一个(通常是非对称的，例如公共/私有)密钥(对).默认情况下，IdentityServer将通过/.well-known/openid-configuration端点发布用于验证令牌的公钥.

The Authorization Server will sign tokens with a key. Resource Server(s) should verify that the token's integrity with a key. Together they form a (usually asymmetric, e.g. public/private) key (pair). By default IdentityServer will publish the public key for verifying tokens via the /.well-known/openid-configuration endpoint.

对于开发方案，您通常希望跳过正确处理诸如所述密钥之类的机密信息(对于真正在生产中进行正确操作非常重要！).对于这些开发方案，您可以选择使用AddTemporarySigningCredential之类的临时解决方案，该解决方案用于 .NET Core 1.x .

For development scenarios, you typically want to skip the fuss of properly managing secrets like said keys (which is really important to do properly in production!). For these development scenarios you have the option of using adhoc solutions like AddTemporarySigningCredential, which was used for .NET Core 1.x.

使用 .NET Core 2.x ，这将更改，您将需要AddDeveloperSigningCredential()扩展方法.

With .NET Core 2.x this will change and you will need the AddDeveloperSigningCredential() extension method.

这回答了这是什么的问题.关于如何使用它:您只需根据应用程序Startup类的ConfigureServices(...)方法内的.NET Core版本调用所需的方法即可.

That answers the question of what it is. On how to use it: you simply call the method you need depending on your .NET Core version inside the ConfigureServices(...) method of your application's Startup class.

除此之外，您不需要做任何特殊的事情，当然要注意在生产中使用正确的密钥对.

Apart from that you don't need to do anything special, except of course take care that you use a proper key pair in production.

另请参见密码，密钥和HTTPS 和配置密钥服务的位.从后一个文档来看，这是生产案例的一种相关替代方法:

See also the docs on Cryptography, Keys and HTTPS and the bit on Configuring Services for Keys. From the latter document, here's a relevant alternative for production cases:

添加签名密钥服务，该签名密钥服务向各种令牌创建/验证服务提供指定的密钥材料.您可以传入X509Certificate2，SigningCredential或从证书存储区对证书的引用.

Adds a signing key service that provides the specified key material to the various token creation/validation services. You can pass in either an X509Certificate2, a SigningCredential or a reference to a certificate from the certificate store.

这篇关于IdentityServer4中的签名凭证是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！