IdentityServer4 SigningCredential(RSA 憑證加密)實例詳解
- 零下一度原創
- 2018-05-22 16:08:073071瀏覽
IdentityServer4 預設提供了兩種憑證加密配置:
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddTemporarySigningCredential();
這兩種憑證加密方式,都是暫時使用,每次重新啟動專案的時候,都會重新產生一個新的證書,這時候就會導致一個問題,重啟之前產生的access_token,在重啟之後,就不適用了,因為證書改變了,對應的加密方式也改變了,所以,就會出現下面這個問題:
錯誤訊息:
Www-Authenticate:Bearer error="invalid_token", error_description="The signature key was not found"
解決方式,就是總是使用一個證書,我們先這樣配置:
services.AddIdentityServer()
.AddDeveloperSigningCredential();
可以查看下 AddDeveloperSigningCredential實作原始碼,啟動項目,IdentityServer4 會在專案目錄中產生一個tempkey.rsa憑證檔案:
{
"KeyId": "4e1765de45ef639261115198826dfea7",
"Parameters": {
"D": "FnB7kIinBgoZDaRqIrRQHEF45FBF9amOrTn8oFdmsxPqJbh11bHeCw11AtCCC4p1mm750onDXeP+yoBHymr/wNn40VmGdhR4hnObHhhw5pyQKECIS41DFDatCZif9uhDgHsOvYHMRVNSapDFoDUvbTE6t7rv4prn2fDt5mzRD9AqdT2HyTcwa/H1haaZNwmy3UevYYy8ya4kKXvjRo6+O7BMBh+yBvHgezQ57Ye/NfZfDMITs4djbqELrYVXCTMltNsWWhQtS62cqvKboxoiXfSm67u/li5Fdusc5Z2zsyt5rE/V8h/ffBvS9N9v0VoDTdFqLYkuul0DvTZ/pqXtMQ==",
"DP": "XQDf46csbwu/xX+jwo5VQQ8sKVlVBLuxSNTAbNS6O/aCg9eEjZ58EJ712JgqqORcDMg5JRejN3Zxxoij4roJogyvvw6QSws/H+UTmtuuudgT59OB1TyNGihMVSTLXaw4Kgdj8D8IK8v0okdFEpYugzIIFe1yl0lSzR7fkF+NKC0=",
"DQ": "4TvT9ujJ38sTluz0dUSIUD3NCWJOMDKOB/cL3RaDyMf/MTSxNFfWDuuW55F2P8mncHhqLuANcg2l3h8xom+1ucn+ve45JNoWja4fpWQ16rmijPc5yKRe0uAGEaXJiTAEvIxXG18zvNA8Fab+L2X1h+1r35ZLZFYj+EyhkqQ7u5k=",
"Exponent": "AQAB",
"InverseQ": "nTAEt8v+DlAn6h7Z1Ey1x4Z56OfOmCvY01nte4f3OuSmBXoEaTSoGsXScweAMoSGb0aOG1qpvErtY+JykREeLJxvm4P3DAHL5lJWvDKPvCWJOD9jfzhBUyIhCoqQ8EIHjFxBNKyNefAsVuKdH6R+ApuhpF8XVhR59zLawUQWLEg=",
"Modulus": "43j4tvNZy7IxuiDwZzWv9KiS5kSYIeBqEvQ7zkQmRT3IEsseiTv698iQx8qn+de8FeGFEa8O6igFU2VXqFyWJilTuPmeBPJxIMCqfxdxF+96giVSpN4rOFaH/V+IPNTQoYCLFwcUR2saFywUeKWpsRFhQCymsFIk3AlWu7jcqgKHrELsJpn5KVmedb6JZcVKMIfTrcY6hWQz2JNEhTOEI10ZVZ7ueEp2Q2+1/udvp47wPMhzriXJTFP7Y4ozU2THbuwIqCXM5DNBGUpEug0vlCAhwn6nvAo8e9fT0lpUzTd2T8wWzwuHkAgyjB0XTzSYR1fMJIKH1zDs25RqmlepgQ==",
"P": "9lGtQw9yXz4nbepESFDxAMfDlmiI9Gj3Q3FecKIgGVVi9WVr19lzBcszhsVybA8n1OyPXHdOyuSWOiVp69ibo5OOXLL4iWzY1VOouXeZrYimxNPvVKlRf8AsVcv3n/0/FEhwY9gnQm4PZYUGwQ96WZ5Z/CWJ9xTORg54Wh79hk0=",
"Q": "7Gmr/h33bM+9W4Ygh+tNh3/etECuT/RQ1LMS5uBXxXdvUl6wSm2+ec/CBRobxVHG2pDXdr0pegn0Yz4MprsLtS5KvFg6yopI3Y3TptTGNZPtbd1O7P4i6b+RNOYCq0Y99mkGofqAlAMnDG+SA2EJN2ugPjLelC7GWtfzNG5NMgU="
}
}AddDeveloperSigningCredential判斷tempkey.rsa憑證檔案是否存在,如果不存在的話,就建立一個新的tempkey.rsa憑證文件,如果存在的話,就使用此憑證檔案。
所以,我們設定的時候,傳遞一個tempkey.rsa憑證檔名,就可以了:
services.AddIdentityServer()
.AddDeveloperSigningCredential("tempkey.rsa");
當然,你也可以對tempkey.rsa憑證文件,進行重新命名操作。
參考資料:
The signature key was not found
IdentityServer4 Configuring services
-
#IdentityServer4 Cryptography, Keys and HTTPS
ASP.NET Core 實作OAuth2.0 的ResourceOwnerPassword 與ClientCredentials 模式
IdentityServerBuilderExtensionsCrypto.
以上是IdentityServer4 SigningCredential(RSA 憑證加密)實例詳解的詳細內容。更多資訊請關注PHP中文網其他相關文章!