IdentityServer4.AccessTokenValidation is Not Strongly-Named

[vdachev]

Hello,

We're trying to use the latest IdentityServer4.AccessTokenValidation NuGet package (2.7.0) in a strongly-named .NET Core application and we get the following error:

FileLoadException: Could not load file or assembly 'IdentityServer4.AccessTokenValidation, Version=2.7.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. A strongly-named assembly is required. (Exception from HRESULT: 0x80131044)

So it seems the assembly in the package is not strongly-named and my only option (please, correct me if I'm wrong) seems to be disabling the signing of the application and any other projects that reference it.

According to a Strong Name Signing document by the CoreFX team:

Because of the viral nature of strong-naming, it is recommended that publicly published .NET libraries are strong-named. Not strong-naming a .NET library excludes anyone who does need to strong-name their application or library from using it.

So, is there a reason for the IdentityServer4.AccessTokenValidation output not to be strongly-named or is it an issue worth addressing?

Thank you! :)

[leastprivilege]

I hope you are not strong naming for security reasons - because it is not a security feature.

That being said - we will strong name the upcoming 3.0 release. Probably beginning next year.

[vdachev]

Strong-naming is a common policy for all projects included in our build process in order to prevent accidental drop-in replacements and enable registration of assemblies in the GAC. Of course, there are projects signing doesn't make much sense (such as web or console apps) but once we decide to reference a non strong-named assembly from our own class library, in run into an issue like this one.

[leastprivilege]

I can't remember if we ever did that - but this library is deprecated in favour of this superior and more flexible approach:

https://leastprivilege.com/2020/07/06/flexible-access-token-validation-in-asp-net-core/