Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add section about setting up the IdentityServer key in prodution #27989

Closed
DrewBrasher opened this issue Dec 30, 2022 · 9 comments
Closed

Add section about setting up the IdentityServer key in prodution #27989

DrewBrasher opened this issue Dec 30, 2022 · 9 comments
Assignees
@Rick-Anderson
Labels
doc-enhancement doc-provided Pri3 Source - Docs.ms Docs Customer feedback via GitHub Issue

Comments

@DrewBrasher
Copy link

I created a Blazor WebAssembly hosted app with individual authentication using the template in Visual Studio. It works fine running the app in visual studio but after I deploy it to an Ubuntu server I get this error: "No signing credential is configured by the 'IdentityServer:Key' configuration section."

The appsettings.json section generated by the template is:

  "IdentityServer": {
    "Clients": {
      "Bledger.Client": {
        "Profile": "IdentityServerSPA"
      }
    }
  }

It would be helpful if the documentation for deploying to a Linux server would include how to create the credentials and configure the the appsettings section.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
@dotnet-bot dotnet-bot added ⌚ Not Triaged Source - Docs.ms Docs Customer feedback via GitHub Issue labels Dec 30, 2022
@guardrex guardrex self-assigned this Dec 30, 2022
@guardrex
Copy link
Collaborator

Hello @DrewBrasher ... We document Blazor in the Blazor node. The coverage on this aspect is at ...

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-identity-server?view=aspnetcore-7.0&tabs=visual-studio#app-settings

@dotnet dotnet deleted a comment from github-actions bot Dec 30, 2022
@guardrex
Copy link
Collaborator

guardrex commented Dec 30, 2022
edited
Loading

I might not have fully understood your ask, per your remark ...

create the credentials and configure the the appsettings section.

The coverage that we carry for IdS with Blazor WebAssembly is for the hosted Blazor WebAssembly hosting model and found in the topic that I cross-referenced. We don't have further guidance to share. Any additional configuration and use of IdS generally is up to the Duende IdS docs to cover, as we're just trying to cover the base case with minimal configuration. We link to their docs from our doc.

@guardrex
Copy link
Collaborator

Within that topic, we have some coverage on this. It's focused on an Azure-hosting scenario; so if you plan to host in Azure, it might be exactly what you're looking for. If not hosting in Azure, you may still get the main concepts out of it for your host setup ...

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-identity-server?view=aspnetcore-7.0&tabs=visual-studio#host-in-azure-app-service-with-a-custom-domain-and-certificate

@DrewBrasher
Copy link
Author

DrewBrasher commented Dec 30, 2022
edited
Loading

I did see that documentation and it was somewhat helpful even though I'm not using Azure. I was able to get it working based on various different sources I found by generating a .pfx file, putting it in the application root, and defining the key section in the appsettings.json to use a file like this:

  "IdentityServer": {
    "Key": {
      "Type": "File",
      "FilePath": "yourkey.pfx",
      "Password": "YourPassword"
    },
    "Clients": {
      "Bledger.Client": {
        "Profile": "IdentityServerSPA"
      }
    }
  }

I just thought it would be nice if the documentation on hosting on a Linux server at least mentioned that you have to create a key and define it for the app to work or even better, told specifically how to to it on Linux.

@guardrex
Copy link
Collaborator

guardrex commented Dec 30, 2022
edited
Loading

I don't think we want to pitch certificate file-based key security like that. Even Duende doesn't pitch that. AFAICT, they don't even mention it 🙉.

Our examples are more in the vein of using Azure Key Vault or a certificate store. I think the Blazor doc should stick with the Azure pitch.

WRT any other key management strategies, Duende IdS docs should cover them. Of course, that's not a MS product, and we don't have anything to do with their docs. IIRC from when I wrote up that Blazor section a few years ago, they have docs on the subject.

you have to create a key and define it for the app to work

It's my impression that that's not required for automatic key management ***IF*** ASP.NET Core Data Protection is configured. I'm thinking along the lines of ...

https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-7.0#protectkeyswith

... with the PFX cert to configure DP, then ... hopefully 🤞 ... automatic key management would ✨ Just Work!™ ✨. Of course, I'm guessing. I was just under the impression that they default that way without key configuration, and they rely upon ASP.NET Core DP to do that. Do you have any further information on that aspect ... or did you try that approach?

@guardrex
Copy link
Collaborator

guardrex commented Dec 30, 2022
edited
Loading

Let's let @Rick-Anderson take a look and decide for the main doc set doc here.

Rick, I'm going to leave the Blazor doc (Hosted WASM with IdS) on the Azure Key Vault approach.

I don't know what happens if ...

https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-7.0#protectkeyswith

... is attempted ... idk if automatic key management will just work properly (no additional configuration) with that or not.

Anyway ... if you want to cover passing the cert and a PW to the config like that for IdentityServer:Key, I'll let you schedule this for work. I'm going to remove the Blazor label/project from the issue. Note that AFAICT Duende IdS docs don't cover the appsettings.json config for this. I think they want DP configured from looking at what they state.

@guardrex guardrex reopened this Dec 30, 2022
@DrewBrasher
Copy link
Author

I'm not suggesting that the way I did it be added to the docs, I know it is not the ideal way, it was just the way I got it to work. I don't know the correct way to do it in Linux which was why I was hoping documentation on the correct way to do it in Linux could be added if it doesn't already exist.

I will try setting up data protection like you suggested and see if that works without having to define the IndentityServer Key in appsettings.json.

@DrewBrasher
Copy link
Author

@guardrex Thank you for your help. I setup data protection like you suggested and it worked. I also looked back at this documentation and it does have a section about setting that up (https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-nginx?view=aspnetcore-6.0#data-protection) which I guess I overlooked. @Rick-Anderson I think this request can be closed.

@guardrex
Copy link
Collaborator

guardrex commented Jan 2, 2023
edited
Loading

Good ... I'm glad that worked out. I'll close this out.

I'll make a tracking issue remark that the Blazor with IdS doc should say that DP should be configured and cross-link to this section for more info.

@guardrex guardrex closed this as completed Jan 2, 2023
This was referenced Jan 2, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Rick-Anderson Rick-Anderson

Labels
doc-enhancement doc-provided Pri3 Source - Docs.ms Docs Customer feedback via GitHub Issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@guardrex @Rick-Anderson @dotnet-bot @DrewBrasher