Recently I implemented a POC of a custom STS using the thinktecture IdentityServerV2 core. For quick testing purposes i set up a relying party with a symmetric signing key, and got this working. Then i wanted to change this to sign with a certificate...

During intital testing i simply added this relying party to my relying party repository:

var relyingParty = new RelyingParty()
        {
            Enabled = true,
            Realm = new Uri("https://www.novanet.no/"),
            Name = "Test party",
            SymmetricSigningKey = 
              Convert.FromBase64String("R03W9kJERSSLH11Px+R/O7EYfAadSMQfZD5haQZj6eU="),
            TokenLifeTime = 120
        };

I used this to authenticate a test site using JSON Web Tokens (JWT), and the signing algorithm was set to "alg":"HS256". While this worked fine in my POC i did not want to exchange symmetric keys like this. So my questions was, how do I configure the JwtSecurityTokenHandler to sign my tokens with my certificate.

I assumed there would be some flag or property to configure this, but found nothing. I read the guides from thinktecture, and only found one for setting up symmetric signing keys. Then it hit me; it makes no sense to set the SymmetricSigningKey if when you're not using it. I tried leaving the key undefined, and voilá, suddenly the JWT signing algorithm was "alg":"RS256".

If I didn't start out by using symmetric keys i probably wouldn't have found this strange at all, but it's a nice example of how little intuitive implicit configuration can be.

So the simple solution, don't configure a symmetric key:

var relyingParty = new RelyingParty()
        {
            Enabled = true,
            Realm = new Uri("https://www.novanet.no/"),
            Name = "Test party",
            //SymmetricSigningKey = 
            //  Convert.FromBase64String("R03W9kJERSSLH11Px+R/O7EYfAadSMQfZD5haQZj6eU="), 
            TokenLifeTime = 120
        };

#facepalm