Impossible to use signing algorithm outside of the Identity Server whitelist

[filipw]

Which version of Duende IdentityServer are you using?

6.3.3

Which version of .NET are you using?

7.0

Describe the bug

Identity Server contains a hardcoded fixed list of signing algorithms https://github.com/DuendeSoftware/IdentityServer/blob/main/src/IdentityServer/IdentityServerConstants.cs#L101.

To Reproduce

Try to use register a custom or non-standard (outside of that list) SigningCredential.

Expected behavior

Given that all of:

• SecurityKey
• SigningCredentials
• TokenValidationParameters

support providing custom cryptography via the CryptoProviderFactory and its SignatureProvider I find it odd that Identity Server has it's own list to check algorithms against.- and that it blows up if I supply e.g. my own derived SecurityKey with such customization.

I would expect that there would be an overload for advanced users that allows bypassing this fixed list validation.

Log output/exception with stacktrace

Unhandled exception. System.InvalidOperationException: Signing algorithm CRYDI3 is not supported.
   at Microsoft.Extensions.DependencyInjection.IdentityServerBuilderExtensionsCrypto.AddSigningCredential(IIdentityServerBuilder builder, SigningCredentials credential) in /_/src/IdentityServer/Configuration/DependencyInjection/BuilderExtensions/Crypto.cs:line 39

[leastprivilege]

Is that for a real business scenario - or just some experimentations?

[filipw]

I am working on integrating Dilithium on a bigger scale and ran into this problem.
You can find the repo here https://github.com/filipw/Strathweb.Dilithium

I am still able to work around this limitation by simply calling this instead of going through the "official" builder method but since the security key is, well, of SecurityKey type you could still register it using that method separately and then it blows up. That supported algorithm check is also internally done in key management which I am also not sure is necessary.

I understand you only want to have "safe algorithms" but I think, without further complicating things, maybe even a global static toggle would be nice to allow to opt in extended algo set (similar to e.g. IdentityModelEventSource.ShowPII or some other flag on IdSrv options), especially as the underlying security model from IdentityModel allows for such extensibility. Also, IdentityServer is remarkably extensible already (you can swap pretty much everything, which is great) so this feels a bit too restrictive.

[josephdecock]

@filipw, thanks for your feedback. I've added an issue to our backlog to consider customization of the supported signing algorithms that we'll consider for future releases. For now, it sounds like you were able to customize things in DI to accomplish what you wanted. Is that accurate/is there anything else that you need? Otherwise, we'll close this issue - thanks!

[josephdecock]

Closing, but feel free to reopen if necessary.