IdentityServer4 not working in production
If you want to use *.pfx
"Key": { "Type": "File", "FilePath": "certificate.pfx", "Password": "password:!"}
And read this thread if you have this error WindowsCryptographicException: Keyset does not exist
internal.cryptography.cryptothrowhelper+windowscryptographicexception keyset does not exist
So I was able to solve my issues using this piece of documentation: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-3.0#example-deploy-to-azure-websites
I had to enable "Copy if newer" to the appsettings.json properties so that it would get copied to the build folder.
I also added the following to the appsettings.json file:
"IdentityServer": {"Clients": { "Client": { "Profile": "IdentityServerSPA" }},"Key": { "Type": "Store", "StoreName": "My", "StoreLocation": "LocalMachine", "Name": "CN=SigningCertificate"}}
Now the Key.Type is specified, which means that we can now just add the following to the startup.cs:
// Configure IdentityServer4var identityBuilder = services.AddIdentityServer();identityBuilder.AddApiAuthorization<ApplicationUser, ApplicationDbContext>();if (!Environment.IsDevelopment()) identityBuilder.AddSigningCredentials();
I still do not understand why other people are not experiencing this issue, since I am not able to find any other threads on this issue and the regular way seems to work for everyone else. The only downside to this is that I need to install the certificate on the machine now instead of getting it as file.
Here is how I solved it in Docker for Blazor WebAssembly. My answer is mostly based on this thread. Keep in mind that, although it works, it may not be production-ready, nor safe. I know little about IdentityServer.
appsettings.json:
"IdentityServer": { //[...] "Key": { "Type": "File", "FilePath": "/path_to_certificate_here/server.pfx", "Password": "password_specified_later" } }
FilePath
is where you physically placed your certificate (generated in next step of this answer). Password
is being configured while generating certificate.
Generating certificate:
Source. This might not be production-ready either.
$ openssl genrsa 2048 > server_private.pem$ openssl req -x509 -days 1000 -new -key server_private.pem -out server_public.pem$ openssl pkcs12 -export -in server_public.pem -inkey server_private.pem -out server.pfx
Keep in mind that certificate will expire (-days
attribute in 2nd command).
Working with Docker
There are some answers advising to include certificate in build
folder or keep it with project source code. I personally don't think it's a good idea. I'm generating certificates manually on my server in separated folder, then I'm creating Docker volume pointing to folder where I placed them.