我在我的网络应用程序中使用 OpenIddict 并且刚刚替换
.AddEphemeralSigningKey()
和
.AddSigningCertificate("my thumbprint")
我现在想确认实际上正在使用新证书,但是当我提交一个在使用旧(临时)密钥时创建的access_token时,它被毫无问题地接受。我希望它会被拒绝,因为网络应用程序正在使用不同的签名密钥!
或者,我是否误解了签名密钥的目的?
我发现这篇文章表明签名密钥不用于签署使用 ASP.Net 核心数据保护堆栈时创建的访问令牌,我相信这适合我的场景,因为我没有使用 JWT 令牌或自定义令牌格式。
在这种情况下,签名密钥用于什么和/或为什么需要它?
In this case, what is the signing key used for and/or why is it required?
As explained in the post you mentioned, the signing key is only used to sign the JWT tokens issued by OpenIddict (which includes the identity tokens + the access tokens if you opted for JWT).
If you want to replicate the "ephemeral encryption/validation key" scenario with the default token format, you can ask OpenIddict to use an ephemeral data protector:
public class Startup
{
private readonly IDataProtectionProvider _provider =
new EphemeralDataProtectionProvider();
public void ConfigureServices(IServiceCollection services)
{
services.AddOpenIddict(options =>
{
// ...
options.UseDataProtectionProvider(_provider);
});
}
public void Configure(IApplicationBuilder app)
{
app.UseOAuthValidation(options =>
{
options.DataProtectionProvider = _provider;
});
app.UseOpenIddict();
}
}
You can also override the Data Protection options to use an ephemeral data protector for your entire application:
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddDataProtection()
.UseEphemeralDataProtectionProvider();
services.AddOpenIddict();
}
public void Configure(IApplicationBuilder app)
{
app.UseOAuthValidation();
app.UseOpenIddict();
}
}
It's worth noting that the signing key requirement was relaxed in the recent bits: registering a certificate or an ephemeral key is no longer necessary, except if you decide to use JWT access tokens or enable the implicit flow. So if you're using the password flow, adding a key is no longer mandatory.