ID4 的源代码要求我们“配置 key Material ”以在生产中使用。
我使用以下 Powershell 脚本创建适合 Identity Server 4 的 key 。
// (not necessary for this question, but others may find this useful)
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)][string]$password = "",
[Parameter(Mandatory=$true)][string]$rootDomain = ""
)
#https://mcguirev10.com/2018/01/04/localhost-ssl-identityserver-certificates.html#identityserver-token-credentials
$cwd = Convert-Path .
$sCerFile = "$cwd\token_signing.cer"
$sPfxFile = "$cwd\token_signing.pfx"
$vCerFile = "$cwd\token_validation.cer"
$vPfxFile = "$cwd\token_validation.pfx"
# abort if files exist
if((Test-Path($sPfxFile)) -or (Test-Path($sCerFile)) -or (Test-Path($vPfxFile)) -or (Test-Path($vCerFile)))
{
Write-Warning "Failed, token_signing or token_validation files already exist in current directory."
Exit
}
function Get-NewCert ([string]$name)
{
New-SelfSignedCertificate `
-Subject $rootDomain `
-DnsName $rootDomain `
-FriendlyName $name `
-NotBefore (Get-Date) `
-NotAfter (Get-Date).AddYears(10) `
-CertStoreLocation "cert:CurrentUser\My" `
-KeyAlgorithm RSA `
-KeyLength 4096 `
-HashAlgorithm SHA256 `
-KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `
-Type Custom,DocumentEncryptionCert `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
}
$securePass = ConvertTo-SecureString -String $password -Force -AsPlainText
# token signing certificate
$cert = Get-NewCert("IdentityServer Token Signing Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)
Export-PfxCertificate -Cert $store -FilePath $sPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $sCerFile
Write-Host "Token-signing thumbprint: " $cert.Thumbprint
# token validation certificate
$cert = Get-NewCert("IdentityServer Token Validation Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)
Export-PfxCertificate -Cert $store -FilePath $vPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $vCerFile
Write-Host "Token-validation thumbprint: " $cert.Thumbprint
是否有任何实现或示例实现有一个占位符来清楚地告诉我在哪里实现 key 获取函数,以及如何将其正确添加到 Startup.cs 中的说明?
我仍在尝试了解 ASP.NET Core 启动/配置/Kestra 配置过程,这就是我陷入困境的地方。
- 如何管理关键 Material ?
- 我要覆盖什么对象,以及如何配置 ID4 来使用它?
最佳答案
您可以使用 IIdentityServerBuilder API 配置签名 key :
builder.AddSigningCredential(myKeyMaterial);
为此,您有以下可用的重载:
public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, SigningCredentials credential)
public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, X509Certificate2 certificate)
public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, string name, StoreLocation location = StoreLocation.LocalMachine, NameType nameType = NameType.SubjectDistinguishedName)
public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, RsaSecurityKey rsaKey)
以下是我的一个项目的示例,该项目使用本地计算机证书存储中的主题名称 X509 证书:
private static void AddCertificateFromStore(this IIdentityServerBuilder builder,
IConfiguration options)
{
var subjectName = options.GetValue<string>("SubjectName");
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certificates = store.Certificates.Find(X509FindType.FindBySubjectName, subjectName, true);
if (certificates.Count > 0)
{
builder.AddSigningCredential(certificates[0]);
}
else
Log.Error("A matching key couldn't be found in the store");
}
通过这样的扩展方法,您可以按照以下方式使用它(我喜欢使用托管环境来确定是否添加开发人员默认签名凭据或生产凭据):
if (environment.IsDevelopment())
{
identityServerBuilder.AddDeveloperSigningCredential();
}
else
{
identityServerBuilder.AddCertificateFromStore(configuration);
}
关于asp.net-core - 如何在 Identity Server 4 中配置 "key material"以使用 SQL、KeyVault 或任何其他系统?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54771718/