0

We have an IdentityServer4 Host as our IDP. We have a 4.6 WEB (SPA) calling an API using Hybrid flow (Calling the API by passing the accessToken). Everything is working as expected. Please note that on the API we are using IdentityServer3.AccessTokenValidation package to authenticate with IdentityServer4.

Scenario Restarting Identity Server 4 Host causes newly logged do users a 401 unauthorized call to the API. We know of 2 solutions how to solve this issue:

1.) Restart the API App Pool (undesired)

2.) In the API, setup of app.UseIdentityServerBearerTokenAuthentication to set AutomaticRefreshInterval to 5 minutes of caching. After 5 minutes, newly logged on users can now retrieve data from the API.

The question is:

1.) Is there another option we can do beside what is mentioned above?

2.) If we do set the AutomaticRefreshInterval to the lowest possible cache value of 5 minutes, can you foresee any potential issues that we should account for? e.g. performance issues, security concerns, etc?

AARON REY CHAN
  • 1
  • 1
  • 1
    How did you configure IS4? Are you using fixed singing credentials or DeveloperSigningCredential? –  Apr 19 '18 at 18:46
  • After restarting API app pool - are you forced to re-login? – m3n7alsnak3 Apr 19 '18 at 18:54
  • Thank you @RuardvanElburg. Our fault, did not even notice it. We are using AddTemporarySigningCredential. I'm assuming this is the issue? – AARON REY CHAN Apr 19 '18 at 19:10
  • Yes, as IS4 lost the key to decode, all tokens will become invalid at once. So the key must be persisted. –  Apr 19 '18 at 19:12
  • @m3n7alsnak3 no, we are not forced to re-login after IS4 is restarted. Thank you for replying. RuardvanElburg has pointed us in the right direction. – AARON REY CHAN Apr 19 '18 at 19:15

1 Answers1

0

If using a temporary in-memory signing key then you'll get this behaviour. You need to create a persisted signing credential like an X509 certificate and load it when your IDS4 service starts.

Some guidance here: http://docs.identityserver.io/en/release/topics/startup.html#refstartupkeymaterial

See my answer here for a code sample on how to load a cert or certs from the machine certificate store:

How we can replace AddDeveloperSigningCredential on AWS Serverless Lambda environment?

mackie
  • 4,996
  • 1
  • 17
  • 17