Introducing Key Rotation for OpenIddict

•
Date Posted: 05 August 2025; •
Author: James Britton; •
Estimated Reading Time: 15 minute read

Introduction

OpenIddict is a free and open source OIDC framework for .NET. that can be used to create both OIDC Clients and Authorization Server.

OpenIddict is a flexible framework for developing a Single Sign-On OpenID Connect (OIDC) Authorization Server. For an application to trust tokens issued by the OIDC Authorization server (issuer) the tokens needs to be signed by the issuer (typically using public/private keys).

Why Key Rotation Is Essential

If an attacker were able to create their own tokens, then this would allow them unauthorized access. For an attacker to do this, they would need access to the private key.

Therefore securing the key is very important, however it is possible for an attacker to derive the key if they can observe enough signed tokens, and have sufficient period of time for them to run the compute necessary to derive the private key.

To mitigate this risk, keys should be changed every 60-90 days. Performing this task manually is a chore, and will possibly be missed. A better solution is for the OIDC Authorisation server to rotate the key every 60 days automatically.

Out of the box, OpenIddict does not offer automatic key rotation. In OpenIddict, key material must be configured via code, modifying the `OpenIddictServerOptions ' object. Signing credentials configured on the options object are passed to services to be displayed in the JWKs endpoint or used for signing. Changes to key material, therefore, require code changes and redeployment.

This is why Rock Solid Knowledge has built a Key Rotation component for OpenIddict. To add automatic key rotation to OpenIddict its as simple as adding the Rsk.OpenIddict.KeyRotation NuGet package to your .NET Core OpenIddict Server and call the extension on the OpenIddictServerBuilder, to enable this functionality.

How to Use

Using the RSK Key Rotation for the OpenIddict package is simple, and we will guide you through a simple installation now. Currently, RSK Key Rotation only supports using Entity Framework databases for key storage. So, the following will be configured to use a database.

If you already have an OpenIddict instance, you can follow these steps to add Key Rotation. Or alternatively, you can use our AdminUI integration sample and follow these steps.

Install the NuGet package in your OpenIddict server project.

dotnet add package Rsk.KeyRotation.OpenIddict

Call the . AddKeyRotation extension method on the OpenIddictServerBuilder

// Register the OpenIddict server components.
.AddServer(options =>
{
    …
    // Adding Key Rotation component to OpenIddict instance
    options.AddKeyRotation(krBuilder =>
    {
        krBuilder.UseEntityFrameworkCore()
            .AddKeyRotationDbContext(opt =>
            {
                opt.UseSqlServer("KeyRotationDbConnectionStr", c => c.MigrationsAssembly("Samples.KeyRotationWithEntityFramework"));
            });

	   krBuilder.AddLicense(“DMEO”, “***License Key***”);

    });
    …
})

Generate Database Tables

dotnet ef migrations add Initial_KeyRotationDataBase --context KeyRotationDbContext

dotnet ef database update

Remove Any Static Signing Certificates Configured

Key Rotation adds the signing keys generated to the configuration, preserving any previously configured keys. If you have a development certificate configured for signing or keys, you no longer want it configured; you should remove those.

So, if you used our sample as a starting point, the line you will need to remove would be this one:

.AddDevelopmentSigningCertificate()

Start OpenIddict

Now, when you start OpenIddict, you should see an initial key rotation occur to generate the first signing key.[JH1] [JB2]

By default, RSK Key Rotation generates an RSA key with a 180-day lifespan. And when it’s time for a new key, it will be generated 7 days before it is used to sign tokens. And when a key expires, it will no longer be used for signing but will remain in the discovery document for 7 days. Both the publish time and retirement time can be configured independently.

You can read all the configuration options in the KeyRotation documentation

What’s Next?

We want to add support for other methods of key storage, as we only currently support configuring the entity framework provider for key storage.

We would also like to support using FIPS-compliant packages for key material generation. Currently, we just use the .net built-in tools to generate the two supported key types.

Get A 30-Day Free Demo

Get a demo license key, and test the Key Rotation component in under 5 minutes.

Free Demo

James Britton He/Him

•
Job Role: Software Engineer; •
Company: Rock Solid Knowledge

31 Oct 2024
Hello OpenIddict

Rock Solid Knowledge has been developing IAM components and solutions based on IdentityServer4 and Duende IdentityServer for over 8 years; we are proud to say that all our offerings are now available on the free OpenIddict platform

Andrew Clymer

Job Role

Head of Identity and Access Management

Hello OpenIddict
31 Oct 2024
QuickStart Your OpenIddict SSO Solution With AdminUI

Get an SSO solution up and running with OpenIddict and a Management UI (AdminUI) in less than an hour

Joe Harvey

Job Role

Software Developer

QuickStart Your OpenIddict SSO Solution With AdminUI