Description
Steps
Please have your development team and partners review the content and confirm against your implementation.
This is a sample, but it illustrates the steps.
Basically, when calling AddOpenIDConnect(), we configure an endpoint to provide a JWT token and validate that token locally.
It means that a token generated from instance 1 will not likely work with the resource API in instance 2 (in this case, the CD search endpoint).
That is where the 401 comes in. In single instance you would not see this.
For reference, the JWT can be exchanged between two webapp instances:
- Create the .crt and .key (or .pem) files using openssl
- In the Startup.cs, generate a X509 key from cert files in step 1 and use that in AddOpenIdConnect:
var certPem = File.ReadAllText("certificate.crt");
var keyPem = File.ReadAllText("privateKey.key");
var tokenKey = X509Certificate2.CreateFromPem(certPem, keyPem);
services.AddOpenIDConnect<ApplicationUser>(
useDevelopmentCertificate: false,
signingCertificate: tokenKey ,
encryptionCertificate: tokenKey ,
createSchema: true,
options =>
{
options.AllowResourceOwnerPasswordFlow = true;
});
In production, you should probably have different keys for signing and encryption credentials. If you are using DXP then you can just get the certificates from the Azure Key Vault as noted in the documentation.
var certificates = EPiServer.CloudPlatform.Cms.Certificates.CertificatesProvider.Get(_configuration);
services.AddOpenIDConnect<ApplicationUser>(
useDevelopmentCertificate: false,
certificates.SigningCertificate,
certificates.EncryptionCertificate,
createSchema: true);
From that same documentation please see the note:
In production, provide a certificate in the form of a X509Certificate2 for signing and encrypting tokens. During development, OpenIddict
provides one automatically if useDevelopmentCertificate
is set to true. If the application is running in DXP, then we will provide certificates automatically via the EPiServer.CloudPlatform.Cms package in version 1.3.0 or later:
Please sign in to leave a comment.