Do you use Automatic Key management with Duende IdentityServer?

Updated by Brady Stroud [SSW] 4 years ago. See history

123

When using IdentityServer 5 (aka Duende IdentityServer), you don't need to use UseDeveloperSigningCredentials() anymore as it is now enabled by default.

services.AddIdentityServer()
    .AddInMemoryClients(new List<Client>())
    .AddInMemoryIdentityResources(new List<IdentityResource>())
    .AddInMemoryApiResources(new List<ApiResource>())
    .AddInMemoryApiScopes(new List<ApiScope>())
    .AddTestUsers(new List<TestUser>())
    .AddDeveloperSigningCredential();

❌ Figure: Figure: Bad example - you don't need to use `.AddDevelopersSigningCredential()` anymore

When using version 5, instead of using IdentityServer4.AccessTokenValidation(), you should use the out of the box AddAuthentication(("Bearer").AddJwtBearer("Bearer") from .NET 5

services.AddAuthentication("Bearer")
    .AddIdentityServerAuthentication("Bearer", options =>
    {
        options.ApiName = "api1";
        options.Authority = "https://localhost:5000";
    });

❌ Figure: Figure: Bad example - don't use `IdentityServer4.AccessTokenValidation` package as it is deprecated.

services.AddAuthentication("Bearer")
  .AddJwtBearer("Bearer", options =>
    {
      options.Audience = "api1";
      options.Authority = "https://localhost:5000";
    });

✅ Figure: Figure: Good example - use `AddJwtBearer("Bearer")` instead

Categories

Rules to Better Security
acknowledgements
related rules