Skip to Content

Why You Need to Rotate Your Signing Keys

IdentityServer provides access tokens for clients to access protected resources and identity tokens for describing user authentication.

For these tokens to be trusted by your applications, they need to be able to verify them. This means that when using JSON Web Tokens (JWTs), they must be signed by IdentityServer.

If the private keys used by IdentityServer to sign these tokens are compromised, then attackers can generate whatever access tokens they wish and do untold damage.

Protecting Your Keys

In the safe cracking world, safe makers will not warrant a safe as "uncrackable", but they will state that the safe is "uncrackable within a given time period".

So, if a guard physically checks on the safe during the warranty interval, you should be okay.

Safe with a shield and key

Signing keys are similar to items in the safe. We cannot guarantee they will never be stolen or compromised. But as long as we put measures in place to ensure that by the time they are compromised they have become useless, then that is a win.

The time period for replacing keys will change over time as computing power changes. With today's computing power, 90 days would probably be sufficient.

As the IdentityServer administrator, you could set a diary entry to remind you to change the keys, but we all know how well that will play out. It is also not a case of only replacing keys, as that immediately requires all applications to re-request tokens.

We need to phase out old keys and bring in new keys inside a given window, so not to put undue load on the system.

Implementing this manually is not going to be viable.

KeyManagement for IdentityServer

The KeyManagement component automatically rotates keys for you, taking this process out of your hands.

KeyMangement utilises the ASP.NET Core Data Protection libraries to ensure that these keys are stored securely and available inside a clustered environment, giving you that 90 day protection.

Last updated: May 14, 2020

  • Hawkins Inc
  • Repower
  • Bosch
  • RandA
  • Plymouth NHS
  • American Heart Association
  • Systopia
  • Deliotte

We are proud to be a Certified B Corporation, meeting the highest standards of social and environmental impact.

Find Out More

Awards & Certifications