Framework
Community Commercial
Menu Menu
Version
Language
Contributors Edit (5/8/2023)
Avatar Avatar

Configuring OpenIddict

This document introduces how to configure OpenIddict in the AuthServer project.

There are different configurations in the AuthServer project for Development and Production environment.

public override void PreConfigureServices(ServiceConfigurationContext context)
{
    var hostingEnvironment = context.Services.GetHostingEnvironment();

    // Development environment
    if (hostingEnvironment.IsDevelopment())
    {
        PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
        {
            // This is default value, you can remove this line.
            options.AddDevelopmentEncryptionAndSigningCertificate = true;
        });
    }

    // Production or Staging environment
    if (!hostingEnvironment.IsDevelopment())
    {
        PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
        {
            options.AddDevelopmentEncryptionAndSigningCertificate = false;
        });

        PreConfigure<OpenIddictServerBuilder>(builder =>
        {
            builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment));
            builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment));

            //...
        });
    }
}

private X509Certificate2 GetSigningCertificate(IWebHostEnvironment hostingEnv)
{
    return new X509Certificate2(Path.Combine(hostingEnv.ContentRootPath, "authserver.pfx"), "00000000-0000-0000-0000-000000000000");
}

Development Environment

We've enabled AddDevelopmentEncryptionAndSigningCertificate by default on development environment, It registers (and generates if necessary) a user-specific development encryption/development signing certificate. This is a certificate used for signing and encrypting the tokens and for development environment only.

AddDevelopmentEncryptionAndSigningCertificate cannot be used in applications deployed on IIS or Azure App Service: trying to use them on IIS or Azure App Service will result in an exception being thrown at runtime (unless the application pool is configured to load a user profile).

To avoid that, consider creating self-signed certificates and storing them in the X.509 certificates storage of the host machine(s). This is the way we do it in production environment.

Production Environment

We've disabled AddDevelopmentEncryptionAndSigningCertificate in production environment and tried to setup signing and encrypting certificates using authserver.pfx.

You can use the dotnet dev-certs https -v -ep authserver.pfx -p 00000000-0000-0000-0000-000000000000 command to generate the authserver.pfx certificate.

00000000-0000-0000-0000-000000000000 is the password of the certificate, you can change it to any password you want.

Also, please remember to copy authserver.pfx to the Content Root Folder of the AuthServer website.

Was this page helpful?
Please make a selection.
Thank you for your valuable feedback!

Please note that although we cannot respond to feedback, our team will use your comments to improve the experience.

In this document
DOTNET CONF '24
08-09 May
09:00
Online
SEE SPEAKERS SEE AGENDA
GO TO EVENT
What's new in .NET 9?
May 02, 2024 17:00 (UTC)
Previous Events Register Now
ABP Docs
See Previous Events
Mastering ABP Framework Book
Mastering ABP Framework

This book will help you gain a complete understanding of the framework and modern web application development techniques.

See Book Details