IdentityServer Deployment

IdentityServer configuration may be different based on deployment configurations. Basically, you need update identityserver client related data and update your hosting preferences based on your deployment environment.

Update DbMigrator

IdentityServerDataSeedContributor uses IdentityServer.Clients section of appsettings.json for ClientId, RedirectUri, PostLogoutRedirectUri, CorsOrigins.

Update DbMigrator project appsettings.json IdentityServer.Clients.RootUrls with production values:


Or, manually add production values to IdentityServerClientRedirectUris, IdentityServerClientPostLogoutRedirectUris, IdentityServerClientCorsOrigins tables in your database.

If you are using microservice template on-the-fly migration and not using dbmigrator project, update IdentityService appsettings.

Eventually, you shouldn't have localhost related data.

Update IdentityServer

You need to update token signing certificate and identityserver midware based on your hosting environment.

Signing Certificate

Default development environment uses developer signing certificates option. Using developer signing certificates may cause IDX10501: Signature validation failed error on production.

Update IdentityServerModule with using real certificate on IIdentityServerBuilder pre-configuration.


You can also create self-signed certificate and use it.

If you are using self signed certificate, do not forget to set the certificate (.pfx file) as EmbeddedResource and set CopyToOutputDirectory. File needs to exist physically.


Update IdentityServerModule to enfcore https. Add UseHsts to add hsts headers to clients, add UseHttpsRedirection to redirect http requests to https.


Behind Load Balancer

To redirect http requests to https from load balancer, update OnApplicationInitialization method of the IdentityServerModule with the midware below:

app.Use((httpContext, next) =>
    httpContext.Request.Scheme = "https";
    return next();


A common scenario is running applications in kubernetes environment. While IdentityServer needs to face internet on https, internal requests can be done using http.


HttpApi.Host and Web applications authority should be set to http since token validations will done using http request.


You can use different appsettings files like appsettings.production.json to override these values or directly override environment values from kubernetes.

To isolate internal identityserver requests from external network (internet), append extra header instead of overwriting. For ingress, you can use

kind: Ingress
  name: myidentityserver-ingress
  annotations: / "true" "32k" "8" |
      more_set_input_headers "from-ingress: true";

You need to set the IdentityServer origin based on header. Update OnApplicationInitialization method of the IdentityServerModule with the midware below:

app.Use(async (ctx, next) =>
    if (ctx.Request.Headers.ContainsKey("from-ingress"))

    await next();
In this document