Key Material

The Cryptography Keys (JWKS) are stored within Database and auto refresh it every 90 days. It uses ECDSA using P-256 and SHA-256 (ES256) by default.

Signing key rollover

While you can only use one signing key at a time, IdentityServer4 provide mechanisms to publish more than one validation key to the discovery document. This is useful for key rollover. So every 90 days a new Key is auto published following NIST SP 800-107 Rev. 1 best practices.


It uses Elliptic Curves through ECDSA using P-256 and SHA-256 as default, following RFC 7518 best practices.

Database Store

To manage keys, SSO use Jwks.Manager component. It provide many Algorithm, you can change it at Startup.cs