Early Preview
This is currently very much a preview. Please feel free to try things out,
but don't be upset if anything is not yet working. Feedback is welcome over on our
GitHub Dicussions page.
class Duende.IdentityServer.Configuration.KeyManagementOptions
Assembly: Duende.IdentityServer
Inheritance: object → KeyManagementOptions
Settings for automatic signing key management, including key rotation, propagation, and storage behavior.
Properties
public
bool
Enabled
Gets or sets a value indicating whether automatic key management is enabled. When disabled, signing keys must be configured manually.
Remarks Defaults to <c>true</c> .
public
int
RsaKeySize
Gets or sets the size in bits of RSA keys generated by automatic key management.
Remarks Defaults to 2048 bits. Applies to all RSA-based signing algorithms
( <c>RS256</c> , <c>RS384</c> , <c>RS512</c> , <c>PS256</c> , <c>PS384</c> , <c>PS512</c> ).
SigningAlgorithms
Gets or sets the signing algorithms for which automatic key management will generate and rotate keys.
The first algorithm in the collection is used as the default for clients that do not
specify <c>AllowedIdentityTokenSigningAlgorithms</c> .
Remarks Defaults to <c>RS256</c> without an X.509 certificate wrapper when no algorithms are
specified. Supported algorithm names are <c>RS256</c> , <c>RS384</c> , <c>RS512</c> ,
<c>PS256</c> , <c>PS384</c> , <c>PS512</c> , <c>ES256</c> , <c>ES384</c> , and <c>ES512</c> .
X.509 certificate wrapping is not supported for EC keys.
public
System.TimeSpan
InitializationDuration
Gets or sets the window of time treated as an initialization period when no keys have been created
yet, allowing multiple server instances to synchronize before a key is selected.
Remarks Defaults to 5 minutes.
public
System.TimeSpan
InitializationSynchronizationDelay
Gets or sets the delay between re-loading keys from the store during the initialization period,
giving other server instances time to write their newly created keys.
Remarks Defaults to 5 seconds.
public
System.TimeSpan
InitializationKeyCacheDuration
Gets or sets how long keys are cached from the store during the initialization period.
Remarks Defaults to 1 minute. A shorter cache duration during initialization ensures that newly
written keys from other nodes are picked up quickly.
public
System.TimeSpan
KeyCacheDuration
Gets or sets how long keys are cached from the store during normal operation.
Remarks Defaults to 24 hours. This value is automatically capped at half of
<see cref="P:Duende.IdentityServer.Configuration.KeyManagementOptions.PropagationTime" /> to ensure servers have up-to-date key information before
clients need to refresh their discovery caches.
public
System.TimeSpan
PropagationTime
Gets or sets the expected time for new keys to propagate to all server instances and for all clients
to refresh their discovery document cache.
Remarks Defaults to 14 days. New keys are published in the discovery document for this duration
before they become the active signing key, ensuring clients have time to learn about them.
public
System.TimeSpan
RotationInterval
Gets or sets the age at which a key stops being used for signing but remains published in the
discovery document for token validation.
Remarks Defaults to 90 days. After this interval, a new key takes over signing duties while the
old key remains available for validating previously issued tokens during the
<see cref="P:Duende.IdentityServer.Configuration.KeyManagementOptions.RetentionDuration" /> .
public
System.TimeSpan
RetentionDuration
Gets or sets how long a rotated key remains published in the discovery document after it stops being
used for signing.
Remarks Defaults to 14 days. This allows resource servers to validate tokens signed with the
old key until those tokens expire.
public
bool
DeleteRetiredKeys
Gets or sets a value indicating whether keys are automatically deleted from the store after they have passed their retention period.
Remarks Defaults to <c>true</c> .
public
bool
DataProtectKeys
Gets or sets a value indicating whether stored keys are automatically protected using ASP.NET Core Data Protection.
Remarks Defaults to <c>true</c> . Disable this only if the underlying storage already provides
encryption at rest.
public
string
KeyPath
Gets or sets the file system path where keys are stored when using the default file-based key store.
Remarks Defaults to a <c>keys</c> directory relative to the application's current working
directory. This setting is ignored when a custom <c>ISigningKeyStore</c> is registered.
Methods
public
bool
Equals(object obj)
Inherited from object
protected
void
Finalize()
Inherited from object
public
int
GetHashCode()
Inherited from object
protected
object
MemberwiseClone()
Inherited from object
public
string
ToString()
Inherited from object