如何在 Identity Server 4 中配置“密钥材料”以使用 SQL、KeyVault 或任何其他系统？

ID4 的源代码要求我们“配置密钥材料”以在生产中使用。

我使用以下 Powershell 脚本创建适合 Identity Server 4 的密钥。

// (not necessary for this question, but others may find this useful)

[CmdletBinding()]
param(
    [Parameter(Mandatory=$true)][string]$password = "",
    [Parameter(Mandatory=$true)][string]$rootDomain = ""
)

#https://mcguirev10.com/2018/01/04/localhost-ssl-identityserver-certificates.html#identityserver-token-credentials
$cwd = Convert-Path .
$sCerFile = "$cwd\token_signing.cer"
$sPfxFile = "$cwd\token_signing.pfx"
$vCerFile = "$cwd\token_validation.cer"
$vPfxFile = "$cwd\token_validation.pfx"

# abort if files exist
if((Test-Path($sPfxFile)) -or (Test-Path($sCerFile)) -or (Test-Path($vPfxFile)) -or (Test-Path($vCerFile)))
{
    Write-Warning "Failed, token_signing or token_validation files already exist in current directory."
    Exit
}

function Get-NewCert ([string]$name)
{
    New-SelfSignedCertificate `
        -Subject $rootDomain `
        -DnsName $rootDomain `
        -FriendlyName $name `
        -NotBefore (Get-Date) `
        -NotAfter (Get-Date).AddYears(10) `
        -CertStoreLocation "cert:CurrentUser\My" `
        -KeyAlgorithm RSA `
        -KeyLength 4096 `
        -HashAlgorithm SHA256 `
        -KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `
        -Type Custom,DocumentEncryptionCert `
        -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
}

$securePass = ConvertTo-SecureString -String $password -Force -AsPlainText

# token signing certificate
$cert = Get-NewCert("IdentityServer Token Signing Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)  
Export-PfxCertificate -Cert $store -FilePath $sPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $sCerFile
Write-Host "Token-signing thumbprint: " $cert.Thumbprint

# token validation certificate
$cert =  Get-NewCert("IdentityServer Token Validation Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)  
Export-PfxCertificate -Cert $store -FilePath $vPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $vCerFile
Write-Host "Token-validation thumbprint: " $cert.Thumbprint

是否有任何实现或示例实现有一个占位符来清楚地告诉我在哪里实现密钥获取函数，以及如何将其正确添加到 Startup.cs 中的说明？

我仍在尝试了解 ASP.NET Core 启动/配置/Kestra 配置过程，这就是我陷入困境的地方。

• 如何管理关键材料？
• 我要覆盖什么对象，以及如何配置 ID4 来使用它？

您可以使用以下方式配置签名密钥IIdentityServerBuilder api:

builder.AddSigningCredential(myKeyMaterial);

为此，您有以下可用的重载：

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, SigningCredentials credential)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, X509Certificate2 certificate)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, string name, StoreLocation location = StoreLocation.LocalMachine, NameType nameType = NameType.SubjectDistinguishedName)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, RsaSecurityKey rsaKey)

以下是我的一个项目的示例，该项目使用本地计算机证书存储中的主题名称 X509 证书：

    private static void AddCertificateFromStore(this IIdentityServerBuilder builder,
        IConfiguration options)
    {
        var subjectName = options.GetValue<string>("SubjectName");

        var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        store.Open(OpenFlags.ReadOnly);

        var certificates = store.Certificates.Find(X509FindType.FindBySubjectName, subjectName, true);

        if (certificates.Count > 0)
        {
            builder.AddSigningCredential(certificates[0]);
        }
        else
            Log.Error("A matching key couldn't be found in the store");
    }

通过这样的扩展方法，您可以按照以下方式使用它（我喜欢使用托管环境来确定是否添加开发人员默认签名凭据或生产凭据）：

        if (environment.IsDevelopment())
        {
            identityServerBuilder.AddDeveloperSigningCredential();
        }
        else
        {
            identityServerBuilder.AddCertificateFromStore(configuration);
        }