Identityserver4 无法创建SignatureProvider&x27;key.hasprovatekey';是假的
我们使用IdentityServer4(“”)和EntityFrameworkCore来存储操作和配置数据。要添加签名凭据,我们使用x509自签名证书。我们使用以下命令创建x509自签名证书:Identityserver4 无法创建SignatureProvider&x27;key.hasprovatekey';是假的,identityserver4,Identityserver4,我们使用IdentityServer4(“”)和EntityFrameworkCore来存储操作和配置数据。要添加签名凭据,我们使用x509自签名证书。我们使用以下命令创建x509自签名证书:makecert-r-pe-n“CN=CertName_IdentityServer”-b 01/01/2015-e 01/01/2039-eku 1.3.6.1.5.7.3.3-sky签名-a sha256-len 2048 IdentityServer.cer。并将此证书作为嵌入源添加到解决方案中。 这
makecert-r-pe-n“CN=CertName_IdentityServer”-b 01/01/2015-e 01/01/2039-eku 1.3.6.1.5.7.3.3-sky签名-a sha256-len 2048 IdentityServer.cer
。并将此证书作为嵌入源添加到解决方案中。
这是我们的startup.cs文件:
public void ConfigureServices(IServiceCollection services)
{
services.AddSingleton<IConfiguration>(Configuration);
//connection string
string connectionString = Configuration.GetConnectionString("IdentityServer");
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
ConfigureSigningCerts(services);
services.AddIdentityServer()
// this adds the config data from DB (clients, resources)
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
}) // this adds the operational data from DB (codes, tokens, consents)
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
// this enables automatic token cleanup. this is optional.
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30;
});
}
private static void ConfigureSigningCerts(IServiceCollection services)
{
var assembly = typeof(Startup).GetTypeInfo().Assembly;
/*
* IdentityServer.WebApi\
* Certificates\
* identityserver.cer
*
* {assembly name}.{directory}.{file name}
*/
using (Stream resource = assembly.GetManifestResourceStream("IdentityServer.WebApi.Certificates.identityserver.cer"))
using (var reader = new BinaryReader(resource))
{
var signingCert = new X509Certificate2(reader.ReadBytes((int)resource.Length));
var keys = new List<SecurityKey>();
if (signingCert == null) throw new InvalidOperationException("No valid signing certificate could be found.");
var signingCredential = new SigningCredentials(new X509SecurityKey(signingCert), "RS256");
services.AddSingleton<ISigningCredentialStore>(new DefaultSigningCredentialsStore(signingCredential));
var validationCredential = new SigningCredentials(new X509SecurityKey(signingCert), "RS256");
keys.Add(validationCredential.Key);
services.AddSingleton<IValidationKeysStore>(new DefaultValidationKeysStore(keys));
}
}
如果使用文件,则可能需要执行额外的步骤并分配密码以允许访问私钥 希望这将有助于: 另一种方法是在本地计算机证书存储中生成证书,然后通过证书管理MMC管理单元将其导出 来自Powershell(以管理员身份运行Powershell): 使用上述命令,发卡机构将成为yourSiteHere,到期日期默认为一年。它还将具有长度为2048的RSA密钥。 然后,您可以使用certmgr实用程序导出证书(Powershell中还有更多命令要导出,我还没有使用)。 有关更多信息,请参见以下链接: 现在,在IdentityServer4中,我扩展了IIdentialyServerBuilder类,为该类型文件的证书绑定提供了一个方法——很快,如果您有一个静态类,并且它的方法采用“this someClass”形式的参数,那么它就是一个“扩展”。您可以扩展任何类,甚至是C#内部的标准类(如字符串等)。如果这样做,当您在该类或该类型的变量之后键入句点时,您的方法也会出现Intellisense。这意味着我可以在启动时从构建器访问我的方法(您只需要在startup.cs中为扩展类的命名空间添加using):
公共静态类签名凭证
{
公共静态IIdentityServerBuilder GetCertFromAzure(此IIdentityServerBuilder)
{
//注意:为了使证书对应用程序可见,
//应用程序设置“网站加载证书”的值为
//必须将SSL证书的指纹添加到IdentityServer中
//Azure上的webapp。
var thumbprint=“您的证书的指纹”;
var store=new X509Store(StoreName.My,StoreLocation.CurrentUser);
打开(OpenFlags.ReadOnly);
var certs=store.Certificates.Find(X509FindType.FindByThumbprint,
(指纹,正确);
如果(证书计数>0)
{
X509Certificate2证书=
新X509Certificate2(证书[0])。导出(X509ContentType.Pfx,
“您的证书密码”);
建造商。添加签名凭证(证书);
builder.AddValidationKey(证书);
}
返回生成器;
}
公共静态IIIdentityServerBuilder GetCertFromEmbeddedProjectFile(
IIdentityServerBuilder(服务器生成器)
{
var assembly=assembly.getExecutionGassembly();
var fileName=“Your.Project.Namespace.fileName.fileExtension”;
使用(Stream=assembly.GetManifestResourceStream(resourceName))
{
字节[]原始=新字节[stream.Length];
对于(Int32 i=0;i
因此-将上述类包括在项目中,确保Startup.cs可以看到它(如果需要,请使用),去掉ConfigureSigningCerts()方法,并在“services.AddIdentityServer()”行之后键入a',您将在列表中看到扩展方法。使用你想要的方法。您不需要指定参数,该方法将自动获取生成器。构建器将在创建之后返回,以用于以后的方法。makecert已被弃用。您可以使用的替换工具之一是powershell新的自签名证书模块。如果您运行该程序,但证书仍然出现错误,请在此处回复,我将继续共享我的进度/代码,因为我目前正在将自签名证书绑定到ID4,并且还有一个从嵌入式资源加载证书的方法。要使GetCertFromAzure方法正常工作,您必须将SSL证书绑定到Azure上的Web应用程序(由受信任的证书颁发机构颁发的证书)。使用上述方法,只需在启动时从builder中调用上述方法之一,您在启动时调用了该方法以添加开发人员证书。您可以调整该方法,以便在证书过期时提供回退策略。
crit: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Unhandled exception: System.InvalidOperationException: IDX10638: Cannot created the SignatureProvider, 'key.HasPrivateKey' is false, cannot create signatures. Key: Microsoft.IdentityModel.Tokens.X509SecurityKey.
at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning(SecurityKey key, String algorithm)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)
at IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt) in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\Services\DefaultTokenCreationService.cs:line 209
at IdentityServer4.Services.DefaultTokenCreationService.<CreateTokenAsync>d__4.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\Services\DefaultTokenCreationService.cs:line 67
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.Services.DefaultTokenService.<CreateSecurityTokenAsync>d__9.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\Services\DefaultTokenService.cs:line 210
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.<CreateAccessTokenAsync>d__14.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\ResponseHandling\TokenResponseGenerator.cs:line 313
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.<ProcessTokenRequestAsync>d__13.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\ResponseHandling\TokenResponseGenerator.cs:line 249
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.<ProcessAsync>d__7.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\ResponseHandling\TokenResponseGenerator.cs:line 84
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.Endpoints.TokenEndpoint.<ProcessTokenRequestAsync>d__7.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\Endpoints\TokenEndpoint.cs:line 98
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.Endpoints.TokenEndpoint.<ProcessAsync>d__6.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\Endpoints\TokenEndpoint.cs:line 70
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.Hosting.IdentityServerMiddleware.<Invoke>d__3.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\Hosting\IdentityServerMiddleware.cs:line 54
crit: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Unhandled exception: System.InvalidOperationException: IDX10638: Cannot created the SignatureProvider, 'key.HasPrivateKey' is false, cannot create signatures. Key: Microsoft.IdentityModel.Tokens.X509SecurityKey.
at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning(SecurityKey key, String algorithm)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)
at IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt) in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\Services\DefaultTokenCreationService.cs:line 209
at IdentityServer4.Services.DefaultTokenCreationService.<CreateTokenAsync>d__4.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\Services\DefaultTokenCreationService.cs:line 67
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.Services.DefaultTokenService.<CreateSecurityTokenAsync>d__9.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\Services\DefaultTokenService.cs:line 210
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.<CreateAccessTokenAsync>d__14.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\ResponseHandling\TokenResponseGenerator.cs:line 313
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.<ProcessTokenRequestAsync>d__13.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\ResponseHandling\TokenResponseGenerator.cs:line 249
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.<ProcessAsync>d__7.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\ResponseHandling\TokenResponseGenerator.cs:line 84
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.Endpoints.TokenEndpoint.<ProcessTokenRequestAsync>d__7.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\Endpoints\TokenEndpoint.cs:line 98
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.Endpoints.TokenEndpoint.<ProcessAsync>d__6.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\Endpoints\TokenEndpoint.cs:line 70
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at IdentityServer4.Hosting.IdentityServerMiddleware.<Invoke>d__3.MoveNext() in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\Hosting\IdentityServerMiddleware.cs:line 54
$cert = New-SelfSignedCertificate -DnsName yourSiteHere.com -type Custom -CertStoreLocation cert:\localmachine\my -KeyExportPolicy Exportable
public static class SigningCredentialExtension
{
public static IIdentityServerBuilder GetCertFromAzure(this IIdentityServerBuilder builder)
{
//Note: in order for the certificate to be visible to the app,
//an application setting "WEBSITE_LOAD_CERTIFICATES" with the value
//of your SSL cert's thumbprint must be added to your IdentityServer
//webapp on Azure.
var thumbprint = "your cert's thumbprint";
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates.Find(X509FindType.FindByThumbprint,
certThumbprint, true);
if (certs.Count > 0)
{
X509Certificate2 cert =
new X509Certificate2(certs[0].Export(X509ContentType.Pfx,
"your cert's password"));
builder.AddSigningCredential(cert);
builder.AddValidationKey(cert);
}
return builder;
}
public static IIdentityServerBuilder GetCertFromEmbeddedProjectFile(
IIdentityServerBuilder builder)
{
var assembly = Assembly.GetExecutingAssembly();
var fileName = "Your.Project.Namespace.FileName.fileExtension";
using (Stream stream = assembly.GetManifestResourceStream(resourceName))
{
Byte[] raw = new Byte[stream.Length];
for (Int32 i = 0; i < stream.Length; i++)
{
raw[i] = (Byte)stream.ReadByte();
}
X509Certificate2 cert = new X509Certificate2(raw, password);
builder.AddSigningCredential(cert);
builder.AddValidationKey(cert);
}
return builder;
}
}