Configuring the secure token signature algorithm in Thinktecture IdentityServerV2 core
Recently I implemented a POC of a custom STS using the thinktecture IdentityServerV2 core. For quick testing purposes i set up a relying party with a symmetric signing key, and got this working. Then i wanted to change this to sign with a certificate...
During intital testing i simply added this relying party to my relying party repository:
var relyingParty = new RelyingParty() { Enabled = true, Realm = new Uri("https://www.novanet.no/"), Name = "Test party", SymmetricSigningKey = Convert.FromBase64String("R03W9kJERSSLH11Px+R/O7EYfAadSMQfZD5haQZj6eU="), TokenLifeTime = 120 };
I used this to authenticate a test site using JSON Web Tokens (JWT), and the signing algorithm was set to "alg":"HS256". While this worked fine in my POC i did not want to exchange symmetric keys like this. So my questions was, how do I configure the JwtSecurityTokenHandler to sign my tokens with my certificate.
I assumed there would be some flag or property to configure this, but found nothing. I read the guides from thinktecture, and only found one for setting up symmetric signing keys. Then it hit me; it makes no sense to set the SymmetricSigningKey if when you're not using it. I tried leaving the key undefined, and voilá, suddenly the JWT signing algorithm was "alg":"RS256".
If I didn't start out by using symmetric keys i probably wouldn't have found this strange at all, but it's a nice example of how little intuitive implicit configuration can be.
So the simple solution, don't configure a symmetric key:
var relyingParty = new RelyingParty() { Enabled = true, Realm = new Uri("https://www.novanet.no/"), Name = "Test party", //SymmetricSigningKey = // Convert.FromBase64String("R03W9kJERSSLH11Px+R/O7EYfAadSMQfZD5haQZj6eU="), TokenLifeTime = 120 };
#facepalm