I have two .Net Core APIs - an authorization server that issues a JWT identity token using IdentityServer4, and a resource API that is protected and requires that token.
The auth server is using a self-signed x509 certificate (for now).
In the the auth server I have something like this in ConfigureServices:
var certificate = new X509Certificate2(//path.to.my.certificate//);
services.AddIdentityServer().AddSigningCredential(certificate)
But my understanding of how the resource API will validate the signing credentials is not clear.
All I have in ConfigureServices for the resource API is:
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(
options =>
{
options.Authority = "//MyAuthAPI";
});
Should the resource API use the same certificate to validate the JWT token? Is that necessary?
If so, how should that be done?
Basically the ASP.Net Core middleware downloads the identity provider configuration from https://{yourDomain}/.well-known/openid-configuration which is your options.Authority uri. If you actually navigate to one sub url https://{yourDomain}/.well-known/openid-configuration/jwks, you will also see that identity provider publishes the public key that it uses to sign the tokens.
With the public key acquired, the middleware is able to verify that the tokens were indeed issue by the expected authority uri using the headers (Authorize : Bearer {token}) included in the api requests using regular asymmetric encryption verification methods.