Rules

Secret ingredients to quality software

Edit
Info

Do you use Automatic Key management with Duende IdentityServer?


When using IdentityServer 5 (aka Duende IdentityServer), you don't need to use UseDeveloperSigningCredentials() anymore as it is now enabled by default.

services.AddIdentityServer()
    .AddInMemoryClients(new List<Client>())
    .AddInMemoryIdentityResources(new List<IdentityResource>())
    .AddInMemoryApiResources(new List<ApiResource>())
    .AddInMemoryApiScopes(new List<ApiScope>())
    .AddTestUsers(new List<TestUser>())
    .AddDeveloperSigningCredential();

Figure: Bad example - you don't need to use .AddDevelopersSigningCredential() anymore

When using version 5, instead of using IdentityServer4.AccessTokenValidation(), you should use the out of the box AddAuthentication(("Bearer").AddJwtBearer("Bearer") from .NET 5

services.AddAuthentication("Bearer")
    .AddIdentityServerAuthentication("Bearer", options =>
    {
        options.ApiName = "api1";
        options.Authority = "https://localhost:5000";
    });

Figure: Bad example - don't use IdentityServer4.AccessTokenValidation package as it is deprecated.

services.AddAuthentication("Bearer") 
  .AddJwtBearer("Bearer", options =>
    {
      options.Audience = "api1";
      options.Authority = "https://localhost:5000";
    });

Figure: Good example - use AddJwtBearer("Bearer") instead

Anthony NguyenAnthony Nguyen
William LiebenbergWilliam Liebenberg
Matt GoldmanMatt Goldman

We open source. This page is on GitHub