Aspnetcore: Let developers configure SigningCredentials in code instead of config

Created on 14 Nov 2019 · 10Comments · Source: dotnet/aspnetcore

Is your feature request related to a problem? Please describe.

I am trying to host an ASP.Net Core 3.0 WebAPI inside a linux docker container in azure App Service.

I am using the new extension method AddApiAuthorization on the IdentityServerBuilder. And i would like to configure my SigningCredentials in code instead of loading a certificate from the Certififcate store.

By looking at the source code I gathered that my issue arises in the Configure method of ConfigureSigningCredentials.cs - The configure method calls this.LoadKey under all circumstances.

https://github.com/aspnet/AspNetCore/blob/v3.0.0/src/Identity/ApiAuthorization.IdentityServer/src/Configuration/ConfigureSigningCredentials.cs

Describe the solution you'd like

Would it work if we modified the Configure method to look something like:

public void Configure(ApiAuthorizationOptions options)
{
    if(options.SigningCredential == null)
    {
        var key = LoadKey();
        options.SigningCredential = key;
    }
}

area-mvc bug

Source

LordLyng

👍2

Most helpful comment

@mkArtakMSFT lets reconsider this.

The fix is trivial here.

javiercn on 21 May 2020

👍2 ❤1

All 10 comments

@LordLyng thanks for contacting us.

This is already possible. You can achieve it in two different ways.

services.AddIdentityServer()
   .AddApiAuthorization(options => options.SigningCredential = // Your logic here);

services.AddIdentityServer()
   .AddApiAuthorization();

services.Configure<ApiAuthorizationOptions>(o => o.SigningCredential = // Your logic here);

javiercn on 14 Nov 2019

I'm closing this issue as the question has been answered, if the suggestions we've provided don't work for some reason, add a comment to this issue and we'll re-evaluate it based on the new information.

javiercn on 14 Nov 2019

Wow that was a fast response. Thanks a lot!

It would seem that the di calls configure on ConfigureSigningCredentials.cs even though I configure my own signingcredentials, effectively overriding the one I provide in AddApiAuthorization. Maybe though the AddSigningCredentials call inside AddApiAuthorization.

Am I wrong?

LordLyng on 14 Nov 2019

Further it would seem that calling Configure post calling AddApiAuthorization are forcing you to have an unused identityserver key element in your configuration otherwise identityserver will throw key type not found.

LordLyng on 14 Nov 2019

@LordLyng Yep, you are right.

This is a bug, as it will fail if you have nothing in config.

javiercn on 14 Nov 2019

@LordLyng For now I think you could workaround it by just saying "Development" on the key type and then using services.Configure to override it.

javiercn on 14 Nov 2019

😕1

We've moved this issue to the Backlog milestone. This means that it is not going to happen for the coming release. We will reassess the backlog following the current release and consider this item at that time. However, keep in mind that there are many other high priority features with which it will be competing for resources.

mkArtakMSFT on 21 May 2020

So we still have to use the "Development" workaround for a whole another release? It feels odd to have to deploy stuff to production that runs as development and then code runs right after to switch it to w/e we want..