OpenIddict: Using AddDevelopmentSigningCertificate()

1
votes

I created an Asp.Net Core 2.2 application with DefaultIdentity using OpenIddict with the Implicit flow. This application runs in a Docker container. I am trying to use the AddDevelopmentSigningCertificate() option for my development environment.

 services.AddOpenIddict()
                .AddCore(options =>
                {
                    options.UseEntityFrameworkCore()
                           .UseDbContext<ApplicationDbContext>();
                })
                .AddServer(options =>
                {
                    options.UseMvc();
             options.EnableAuthorizationEndpoint("/connect/authorize");
             options.RegisterScopes(OpenIdConnectConstants.Scopes.Email, OpenIdConnectConstants.Scopes.Profile, OpenIddictConstants.Scopes.Roles);
                    options.AllowImplicitFlow();
                    options.DisableHttpsRequirement();
                    options.AddDevelopmentSigningCertificate();
                    options.UseJsonWebTokens();
                })
                .AddValidation();

Then I have an Asp.Net Core 2.2 Web API application also running in a Docker container. I am using Swagger via Swashbuckle and JWT Bearer Authentication.

            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
            JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.Clear();

            services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;

            }).AddJwtBearer(options =>
            {
                options.Authority = identityUrl;
                options.RequireHttpsMetadata = false;
                options.Audience = "supplier-service";
            });

(identityUrl is the Url of the Authorization Server Docker container)

But I am getting following error:

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match keys: kid: '[PII is hidden]', token: '[PII is hidden]'.

What am I missing or what am I doing wrong?

1
dockerasp.net-coreopeniddict
The exception you get indicates that the JWT bearer handler was unable to find the security key used to sign the access token in the OIDC discovery document. In this case, I suspect the X.509 certificate initially generated by OpenIddict was not persisted and thus, not exposed and reused after a restart of your Docker container. Make sure the X.509 store used by .NET Core (~/.dotnet/corefx/cryptography/x509stores on Linux) points to a persistant folder. - Kévin Chalet
I looked in the running container of my identity server. I checked your path and I found the .pfx certificate under ~/.dotnet/corefx/cryptography/x509stores/my. I assume this is the one that OpenIddict generated. Why isn't it finding the security key? - Palmi
Sorry. It was my fault. The authority url was wrong. But thanks for the clarification about the path of the certificate inside the docker container. That is good to know - Palmi
Glad you solved your issue! - Kévin Chalet

1 Answers

1
votes

The url for the Authority option of the AddJwtBearer was wrong. In case somebody gets the same misleading error message.