According to the docs, IdentityServer uses an asymmetric key pair to sign and validate JWTs.
One could either use AddTemporarySigningCredential()
in the configuration which creates a fresh RSA every startup or use AddSigningCredential(..)
with an RSA key or a certificate.
The document mentions the Temporary version is useful for Development situations but it does not tell what is the disadvantage of this when used in a production environment.
I have a aspnetcore web api in which the clients are authenticated using the IdentityServer4. The system works fine at the moment with the temporarysigningcredential but I wonder whether there is any benefit in using the other variant.
Thanks,
The disadvantage is, that every time you restart IdentityServer, the key material will change - or IOW - all tokens that have been signed with the previous key material will fail to validate.
"Temporary" is really only for situations where you don't have other key material available.