I'm using IdentiyServer4 to generate token, I'm using AddDeveloperSigningCredential() method who generate my RSA key with a KeyId. But, in production, I'm using AddSigningCredential(CreateSigningCredential()), to generate key like this :

 private SigningCredentials CreateSigningCredential()
        {
            var signinkey = new RsaSecurityKey(RSA.Create());
            signinkey.KeyId = "abcdefghijklmnopqrstuvwxyz";//How to generate KeyId ??
            var credentials = new SigningCredentials(signinkey,
                SecurityAlgorithms.RsaSha256);

            return credentials;
        }

How I generate KeyId ? I can set whatever ?

Thanks for help

CodePudding user response：

You don't need to set the keyId and also creating the RSA key youself in code, sounds like bad practice. Then you can just as well use the AddDeveloperSigningCredential method.

You can actually look at the source for that method here to see how they do it in code: https://github.com/DuendeSoftware/IdentityServer/blob/main/src/IdentityServer/Configuration/DependencyInjection/BuilderExtensions/Crypto.cs

But, in production you should generate the key externally and pass it in to IdentityServer, so the key is the same across redeployment/restarts. Otherwise previously issued tokens will not be valid anymore.

You can for example store the key in Azure Key Vault, or using some other configuration/secret system. Or in a database or as a file somewhere.

If you want to create one manually, using OpenSSL, then you can write

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes256 -out rsa-private-key.pem