英文:
What is the certificate required for?
问题
我非常了解证书的目的:无论是在一般情况下,还是在 IDS 下创建令牌的特定用途中。当我像这样连接我的 IDP 时:
services.AddIdentityServer()
.AddConfigurationStore(Delegates.ConfigOptions(config))
.AddOperationalStore(Delegates.OperationOptions(config))
.AddSigningCredential(new X509Certificate2(path, pass));
或者这样:
services.AddIdentityServer()
.AddConfigurationStore(Delegates.ConfigOptions(config))
.AddOperationalStore(Delegates.OperationOptions(config))
.AddDeveloperSigningCredential();
我让它工作了(开发凭据和签名凭据都有效)。意外地,我把它们全部注释掉,实际上应用了以下配置。
services.AddIdentityServer()
.AddConfigurationStore(Delegates.ConfigOptions(config))
.AddOperationalStore(Delegates.OperationOptions(config));
我本来期望没有令牌、无效的令牌、崩溃、异常等问题。但事实上,一切都运行顺利,我没有看到明显的问题。
现在,显然这是不对的。我错过了什么,忽略凭据的存在会导致什么问题呢?
英文:
I understand very well the purpose of certificates: both in a general case and in the specific usage for token creation under IDS. When I wire up my IDP like this:
services.AddIdentityServer()
.AddConfigurationStore(Delegates.ConfigOptions(config))
.AddOperationalStore(Delegates.OperationOptions(config))
.AddSigningCredential(new X509Certificate2(path, pass));
or this:
services.AddIdentityServer()
.AddConfigurationStore(Delegates.ConfigOptions(config))
.AddOperationalStore(Delegates.OperationOptions(config))
.AddDeveloperSigningCredential();
I get it to work (both dev creds and sign creds work). Accidentally, I commented out both of them, effectively applying the following config.
services.AddIdentityServer()
.AddConfigurationStore(Delegates.ConfigOptions(config))
.AddOperationalStore(Delegates.OperationOptions(config));
I had been expecting no tokens, invalid tokens, crashes, exceptions and what not. Instead, everything works smoothly and I see no evident problems.
Now, that can't be right, obviously. What am I missing and what bad thing have I caused by omitting the credentials to be present?!
答案1
得分: 1
这里发生的情况,我认为,是内置的自动密钥管理器开始运行并为您生成密钥。
您可以验证这一点,因为该模块会在~/keys目录中创建一个子文件夹。
关于自动密钥管理的文档在这里。
可以在这里禁用它:
AddSigningCredential 用于添加自定义签名密钥,而 AddDeveloperSigningCredential 用于让IdentityServer为开发生成测试密钥。
英文:
What happens, I think, is that the built-in automatic key manager kicks in and generates the keys for you.
You can verify this because this module creates a subfolder in ~/keys directory.
See the documentation here about the Automatic Key Management.
It can be disabled here:
AddSigningCredential is used to add a custom signing key and AddDeveloperSigningCredential is used to let IdentityServer generate a test key for development.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论