IdentityServer Deployment

IdentityServer configuration may be different based on deployment configurations. Basically, you need update identityserver client related data and update your hosting preferences based on your deployment environment.

Update Cors Origins

Cors origins configuration for gateways, microservices swagger authorization and Angular/Blazor (web assembly) must be updated for deployment. This can be found under App configuration in appsettings.json

"CorsOrigins": "https://*.MyProjectName.com,http://localhost:4200,https://localhost:44307,https://localhost:44325,https://localhost:44353,https://localhost:44367,https://localhost:44388,https://localhost:44381,https://localhost:44361",

Update Redirect Allowed Urls

This configuration must be done if Angular or Blazor (web assembly) is used as back-office web application. It is found under App configuration in appsettings.json

"RedirectAllowedUrls": "http://localhost:4200,https://localhost:44307"

Update DbMigrator

IdentityServerDataSeedContributor uses IdentityServer.Clients section of appsettings.json for ClientId, RedirectUri, PostLogoutRedirectUri, CorsOrigins.

Update DbMigrator project appsettings.json IdentityServer.Clients.RootUrls with production values:

db-migrator-appsettings

Or, manually add production values to IdentityServerClientRedirectUris, IdentityServerClientPostLogoutRedirectUris, IdentityServerClientCorsOrigins tables in your database.

If you are using microservice template on-the-fly migration and not using dbmigrator project, update IdentityService appsettings.

Eventually, you shouldn't have localhost related data.

Update IdentityServer

You need to update token signing certificate and identityserver midware based on your hosting environment.

Signing Certificate

Default development environment uses developer signing certificates option. Using developer signing certificates may cause IDX10501: Signature validation failed error on production.

Update IdentityServerModule with using real certificate on IIdentityServerBuilder pre-configuration.

idsrv-certificate

You can also create self-signed certificate and use it.

If you are using self signed certificate, do not forget to set the certificate (.pfx file) as EmbeddedResource and set CopyToOutputDirectory. File needs to exist physically.

Use HTTPS

Update IdentityServerModule to enfcore https. Add UseHsts to add hsts headers to clients, add UseHttpsRedirection to redirect http requests to https.

use-https

Behind Load Balancer

To redirect http requests to https from load balancer, update OnApplicationInitialization method of the IdentityServerModule with the midware below:

app.Use((httpContext, next) =>
{
    httpContext.Request.Scheme = "https";
    return next();
});

Kubernetes

A common scenario is running applications in kubernetes environment. While IdentityServer needs to face internet on https, internal requests can be done using http.

idsrv-k8s

HttpApi.Host and Web applications authority should be set to http since token validations will done using http request.

api-resource-internal-idsrv

You can use different appsettings files like appsettings.production.json to override these values or directly override environment values from kubernetes.

To isolate internal identityserver requests from external network (internet), append extra header instead of overwriting. For ingress, you can use nginx.ingress.kubernetes.io/configuration-snippet:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myidentityserver-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "32k"
    nginx.ingress.kubernetes.io/proxy-buffers-number: "8"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      more_set_input_headers "from-ingress: true";
spec:

You need to set the IdentityServer origin based on header. Update OnApplicationInitialization method of the IdentityServerModule with the midware below:

app.Use(async (ctx, next) =>
{
    if (ctx.Request.Headers.ContainsKey("from-ingress"))
    {
        ctx.SetIdentityServerOrigin("https://myidentityserver.com");
    }

    await next();
});
In this document
Mastering ABP Framework
Mastering ABP Framework Book

Build maintainable .NET solutions by following software development best practices using ABP.

See Details