Do you use Automatic Key management with Duende IdentityServer?

When using IdentityServer 5 (aka Duende IdentityServer), you don't need to use UseDeveloperSigningCredentials() anymore as it is now enabled by default.

services.AddIdentityServer()
    .AddInMemoryClients(new List<Client>())
    .AddInMemoryIdentityResources(new List<IdentityResource>())
    .AddInMemoryApiResources(new List<ApiResource>())
    .AddInMemoryApiScopes(new List<ApiScope>())
    .AddTestUsers(new List<TestUser>())
    .AddDeveloperSigningCredential();

Figure: Bad example - you don't need to use .AddDevelopersSigningCredential() anymore

When using version 5, instead of using IdentityServer4.AccessTokenValidation(), you should use the out of the box AddAuthentication(("Bearer").AddJwtBearer("Bearer") from .NET 5

services.AddAuthentication("Bearer")
    .AddIdentityServerAuthentication("Bearer", options =>
    {
        options.ApiName = "api1";
        options.Authority = "https://localhost:5000";
    });

Figure: Bad example - don't use IdentityServer4.AccessTokenValidation package as it is deprecated.

services.AddAuthentication("Bearer") 
  .AddJwtBearer("Bearer", options =>
    {
      options.Audience = "api1";
      options.Authority = "https://localhost:5000";
    });

Figure: Good example - use AddJwtBearer("Bearer") instead

Security

Do you use Automatic Key management with Duende IdentityServer?

Authors

Categories

Authors

Categories