I have implemented a Web API incorporating IdentityServer4 authentication as part of the web service.
If I reboot the server access tokens issued before the reboot are no longer valid. I am persisting the IdentityServer data with AddConfigurationStore and AddOperationalStore.
Am I incorrect in thinking that the access tokens should been persisted ?
An asymmetric key pair is used by IdentityServer4 to sign and validate JWTs. You should also persist this pair in addition to AddOperationalStore call. As described in documentation:
AddSigningCredential
Adds a signing key service that provides the specified key material to the various token creation/validation services. You can pass in either an
X509Certificate2, aSigningCredentialor a reference to a certificate from the certificate store.AddDeveloperSigningCredential
Same purpose as the temporary signing credential. But this version persists the key to the file system so it stays stable between server restarts. This addresses issues when the client/api metadata caches get out of sync during development.
More info: Cryptography, Keys and HTTPS.
AddSigningCredential example: GitHub.
P.S. I guess AddOperationalStore stores refresh tokens only and it's by design.