Do you use Automatic Key management with Duende IdentityServer?

Updated by Brady Stroud [SSW] 4 years ago. See history

123
No component provided for introEmbed
services.AddIdentityServer()
    .AddInMemoryClients(new List<Client>())
    .AddInMemoryIdentityResources(new List<IdentityResource>())
    .AddInMemoryApiResources(new List<ApiResource>())
    .AddInMemoryApiScopes(new List<ApiScope>())
    .AddTestUsers(new List<TestUser>())
    .AddDeveloperSigningCredential();

❌ Figure: Figure: Bad example - you don't need to use `.AddDevelopersSigningCredential()` anymore

When using version 5, instead of using IdentityServer4.AccessTokenValidation(), you should use the out of the box AddAuthentication(("Bearer").AddJwtBearer("Bearer") from .NET 5

services.AddAuthentication("Bearer")
    .AddIdentityServerAuthentication("Bearer", options =>
    {
        options.ApiName = "api1";
        options.Authority = "https://localhost:5000";
    });

❌ Figure: Figure: Bad example - don't use `IdentityServer4.AccessTokenValidation` package as it is deprecated.

services.AddAuthentication("Bearer")
  .AddJwtBearer("Bearer", options =>
    {
      options.Audience = "api1";
      options.Authority = "https://localhost:5000";
    });

✅ Figure: Figure: Good example - use `AddJwtBearer("Bearer")` instead

Categories

Rules to Better Security

Acknowledgements

Anthony Nguyen
William Liebenberg
Matt Goldman
Related rules

Need help?

SSW Consulting has over 30 years of experience developing awesome software solutions.

We open source.Loving SSW Rules? Star us on GitHub. Star