您可以使用以下方式配置签名密钥IIdentityServerBuilder
api:
builder.AddSigningCredential(myKeyMaterial);
为此,您有以下可用的重载:
public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, SigningCredentials credential)
public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, X509Certificate2 certificate)
public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, string name, StoreLocation location = StoreLocation.LocalMachine, NameType nameType = NameType.SubjectDistinguishedName)
public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, RsaSecurityKey rsaKey)
以下是我的一个项目的示例,该项目使用本地计算机证书存储中的主题名称 X509 证书:
private static void AddCertificateFromStore(this IIdentityServerBuilder builder,
IConfiguration options)
{
var subjectName = options.GetValue<string>("SubjectName");
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certificates = store.Certificates.Find(X509FindType.FindBySubjectName, subjectName, true);
if (certificates.Count > 0)
{
builder.AddSigningCredential(certificates[0]);
}
else
Log.Error("A matching key couldn't be found in the store");
}
通过这样的扩展方法,您可以按照以下方式使用它(我喜欢使用托管环境来确定是否添加开发人员默认签名凭据或生产凭据):
if (environment.IsDevelopment())
{
identityServerBuilder.AddDeveloperSigningCredential();
}
else
{
identityServerBuilder.AddCertificateFromStore(configuration);
}