Identityserver4: Disadvantages of using AddDeveloperSigningCredential() for API protection?

Created on 16 Oct 2020  路  3Comments  路  Source: IdentityServer/IdentityServer4

If our only consumers of access_tokens are machines calling a protected API, and the access_tokens only have a TTL of 3600, what actual disadvantages are there of using AddDeveloperSigningCredential() instead of "real" keys? Single server only.

Have looked in the documentation but have not found any obvious disadvantages for our scenario by using AddDeveloperSigningCredential() but the method name is kind of scary.

question
Source
picture improwise

Most helpful comment

The main drawback of this method is the key storage location - and that it never gets rotated.

From a crypto point of view, the key is totally fine.

picture leastprivilege on 16 Oct 2020
👍2

All 3 comments

The main drawback of this method is the key storage location - and that it never gets rotated.

From a crypto point of view, the key is totally fine.

leastprivilege picture leastprivilege on 16 Oct 2020
👍2

Thanks. Since the TTL is only 3600 I guess that key rotation perhaps isn't as important as in other more typical scenarios with more long lived tokens.

improwise picture improwise on 16 Oct 2020

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] picture github-actions[bot] on 26 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

osmankibar picture osmankibar  路  3Comments
eshorgan picture eshorgan  路  3Comments
Aravind1729 picture Aravind1729  路  3Comments
not-good-with-usernames picture not-good-with-usernames  路  3Comments
garymacpherson picture garymacpherson  路  3Comments