证书是用于什么目的的?

huangapple go评论83阅读模式
英文:

What is the certificate required for?

问题

我非常了解证书的目的:无论是在一般情况下,还是在 IDS 下创建令牌的特定用途中。当我像这样连接我的 IDP 时:

services.AddIdentityServer()
  .AddConfigurationStore(Delegates.ConfigOptions(config))
  .AddOperationalStore(Delegates.OperationOptions(config))
  .AddSigningCredential(new X509Certificate2(path, pass));

或者这样:

services.AddIdentityServer()
  .AddConfigurationStore(Delegates.ConfigOptions(config))
  .AddOperationalStore(Delegates.OperationOptions(config))
  .AddDeveloperSigningCredential();

我让它工作了(开发凭据和签名凭据都有效)。意外地,我把它们全部注释掉,实际上应用了以下配置。

services.AddIdentityServer()
  .AddConfigurationStore(Delegates.ConfigOptions(config))
  .AddOperationalStore(Delegates.OperationOptions(config));

我本来期望没有令牌、无效的令牌、崩溃、异常等问题。但事实上,一切都运行顺利,我没有看到明显的问题。

现在,显然这是不对的。我错过了什么,忽略凭据的存在会导致什么问题呢?

英文:

I understand very well the purpose of certificates: both in a general case and in the specific usage for token creation under IDS. When I wire up my IDP like this:

services.AddIdentityServer()
  .AddConfigurationStore(Delegates.ConfigOptions(config))
  .AddOperationalStore(Delegates.OperationOptions(config))
  .AddSigningCredential(new X509Certificate2(path, pass));

or this:

services.AddIdentityServer()
  .AddConfigurationStore(Delegates.ConfigOptions(config))
  .AddOperationalStore(Delegates.OperationOptions(config))
  .AddDeveloperSigningCredential();

I get it to work (both dev creds and sign creds work). Accidentally, I commented out both of them, effectively applying the following config.

services.AddIdentityServer()
  .AddConfigurationStore(Delegates.ConfigOptions(config))
  .AddOperationalStore(Delegates.OperationOptions(config));

I had been expecting no tokens, invalid tokens, crashes, exceptions and what not. Instead, everything works smoothly and I see no evident problems.

Now, that can't be right, obviously. What am I missing and what bad thing have I caused by omitting the credentials to be present?!

答案1

得分: 1

这里发生的情况,我认为,是内置的自动密钥管理器开始运行并为您生成密钥。

您可以验证这一点,因为该模块会在~/keys目录中创建一个子文件夹。

关于自动密钥管理的文档在这里。

可以在这里禁用它:

AddSigningCredential 用于添加自定义签名密钥,而 AddDeveloperSigningCredential 用于让IdentityServer为开发生成测试密钥。

英文:

What happens, I think, is that the built-in automatic key manager kicks in and generates the keys for you.

You can verify this because this module creates a subfolder in ~/keys directory.

See the documentation here about the Automatic Key Management.

It can be disabled here:

AddSigningCredential is used to add a custom signing key and AddDeveloperSigningCredential is used to let IdentityServer generate a test key for development.

huangapple
  • 本文由 发表于 2023年2月19日 00:53:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/75494873.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定