Search code examples
dockerasp.net-corejwtidentityserver4

IdentityServer4 in Docker images running on Linux & Azure repositories & authentication issue

My solution consists of three projects, which are:

  1. An ASP.NET MVC Core project that hosts the IdentityServer.
  2. An ASP.NET Core API project which is protected and manages the IdentityServer.
  3. Another ASP.NET MVC Core that calls the API.

So, the MVC client must sent on each request also an access_token to the API. If I run the solution with docker-compose command it works, but if I push/pull the images to/from the Azure repositories, I have the issue.

The error that I get is: ErrorMessage: Bearer error="invalid_token", error_description="The signature key was not found"

This is my configuation

services.AddIdentityServer()
    .AddDeveloperSigningCredential()
    .AddAspNetIdentity<ApplicationUser>()
    .AddConfigurationStore(options =>
    {
        options.ConfigureDbContext = builder =>
            builder.UseNpgsql(connectionString,
                sql => sql.MigrationsAssembly(migrationsAssembly));
    })
    .AddOperationalStore(options =>
    {
        options.ConfigureDbContext = builder =>
            builder.UseNpgsql(connectionString,
                sql => sql.MigrationsAssembly(migrationsAssembly));
        options.EnableTokenCleanup = true;
        options.TokenCleanupInterval = 30;
    });

services.AddAuthentication(IdentityServerConstants.DefaultCookieAuthenticationScheme)
    .AddIdentityServerAuthentication(options =>
    {
        options.Authority = EnvironmentReader.AuthorityUrl;
        options.ApiName = "api1";
        options.RequireHttpsMetadata = false;
    });
Solution

  • This is an issue with AddDeveloperSigningCredential vs AddSigningCredential. With AddDeveloperSigningCredential every time you restart IdentityServer, the key material will change all tokens that have been signed with the previous key material will fail to validate. "Temporary" is really only for situations where you don't have other key material available.

    the following is from the documentation page found here Documentation

    AddDeveloperSigningCredential

    Creates temporary key material at startup time. This is for dev only scenarios when you don’t have a certificate to use. The generated key will be persisted to the file system so it stays stable between server restarts (can be disabled by passing false). This addresses issues when the client/api metadata caches get out of sync during development.

    VS

    AddSigningCredential

    Adds a signing key service that provides the specified key material to the various token creation/validation services. You can pass in either an X509Certificate2, a SigningCredential or a reference to a certificate from the certificate store.

    My code:

    Line from my configuration

     services.AddIdentityServer()
            .AddSigningCredential(LoadCertificate())

    Extra method

    private X509Certificate2 LoadCertificate()
    {
        return new X509Certificate2("../../certs/TestCertificate.pfx",
            "pass");
    }