No signing credential for algorithms (True) registered.

[haukehem]

Which version of Duende IdentityServer 7.0.5

Which version of .NET 8.0.3

Description/Repro I configured my IdentityServer middleware to use persistent database stores for configuration and operational data as well as automatic key management with the database store implementation:

builder.Services
    .AddIdentityServer(options =>
    {
        options.Events.RaiseErrorEvents = true;
        options.Events.RaiseInformationEvents = true;
        options.Events.RaiseFailureEvents = true;
        options.Events.RaiseSuccessEvents = true;

        options.EmitStaticAudienceClaim = true;
        options.LicenseKey = identityServerLicenseKey;
    })
    .AddOperationalStore(options =>
    {
        options.ConfigureDbContext = b => b.UseSqlServer(connstr, sql => sql.MigrationsAssembly(migrationAssembly));
    })
    .AddConfigurationStore(options =>
    {
        options.ConfigureDbContext = b => b.UseSqlServer(connstr, sql => sql.MigrationsAssembly(migrationAssembly));
    })
    .AddAspNetIdentity<ApplicationUser>()
    .AddSigningKeyStore<SigningKeyStore>()
    .AddPersistedGrantStore<PersistedGrantStore>();

In my database, there is a Authorization Code + PKCE flow client and also one entry in the Keys table. In the client db entry, the AllowedIdentityTokenSigningAlgorithms is set to null as expected. When trying to obtain a token via Postman, I successfully get redirected back from the /connect/authorize call, but when calling /connect/token afterwards, the IdentityServer throws an InvalidOperationException: No signing credential for algorithm (True) registered.

Log output/exception with stacktrace

[08:15:42 Fatal] Duende.IdentityServer.Hosting.IdentityServerMiddleware
Unhandled exception: No signing credential for algorithms (True) registered.
System.InvalidOperationException: No signing credential for algorithms (True) registered.
   at Duende.IdentityServer.Services.DefaultKeyMaterialService.GetSigningCredentialsAsync(IEnumerable`1 allowedAlgorithms) in /_/src/IdentityServer/Services/Default/DefaultKeyMaterialService.cs:line 73
   at Duende.IdentityServer.Services.DefaultTokenCreationService.CreateJwtAsync(Token token, String payload, Dictionary`2 headerElements) in /_/src/IdentityServer/Services/Default/DefaultTokenCreationService.cs:line 130
   at Duende.IdentityServer.Services.DefaultTokenCreationService.CreateTokenAsync(Token token) in /_/src/IdentityServer/Services/Default/DefaultTokenCreationService.cs:line 76
   at Duende.IdentityServer.Services.DefaultTokenService.CreateSecurityTokenAsync(Token token) in /_/src/IdentityServer/Services/Default/DefaultTokenService.cs:line 254
   at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.CreateAccessTokenAsync(ValidatedTokenRequest request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 438
   at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessTokenRequestAsync(TokenRequestValidationResult validationResult) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 335
   at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessAuthorizationCodeRequestAsync(TokenRequestValidationResult request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 145
   at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 99
   at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 133
   at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 81
   at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 106

[haukehem]

I have gathered further information on this exception's origin. It is thrown during the /connect/token-call when, while starting the authentication flow via the /connect/authorize-redirect, the IdentityServerApi-scope is requested. This scope is required because I added custom actions to my IdentityServer. These actions require the [Authorize(LocalApi.PolicyName)]-annotation.

[RolandGuijt]

Can you please provide us with the column values of the record in the Keys table? (Except for data perhaps if that's too long/sensitive)

[haukehem]

Hi! Sorry for the small delay - sure, the values in my Key table are:

• Id: BB59D891439B964C7BDE487578443ED8
• Version: 1
• Created: 09.07.2024 15:42:16
• Use: signing
• Algorithm: RS256
• IsX509Certificate: False
• DataProtected: True
• Data: CfDJ...

I only have this one row in the Key table.

[RolandGuijt]

We're still investiging this. Can you please share the configuration of your ApiResource?

[RolandGuijt]

@haukehem Is your problem solved? If so I would like to close this issue.

[RolandGuijt]

Closing for now but feel free to reopen if you feel the need to add a comment.