Open Closed

Questions related to redis and OpenIdDict #4807


User avatar
0
alin.berce created

I have two questions that I'd like some clarification.

  1. When using the default template (not tiered) but with a public web site, how can I disable Redis? What is the impact of not having Redis for small projects in this case?

  2. As stated here on abp support and in the link provided https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html the requirement for production is to generate and register certificates. While the certificates can be pretty easily added on Azure, what happens when the apps are hosted on IIS? There it says that it recommends to store the certificate on the machine's store however, not all hosting services provide this kind of access or option to do this. Is there a simpler way to have the openIdDict working without these certificates? Previously when using IdentityServer things were simpler.


7 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    1. you have to use Redis if you specify a public website.

    https://support.abp.io/QA/Questions/2401/Setting-Mangement-Issue

    1. identity server uses the Certificate like AddDevelopmentEncryptionAndSigningCertificate of Openiddict,

    AddDevelopmentEncryptionAndSigningCertificate cannot be used in applications deployed on IIS or Azure App Service: trying to use them on IIS or Azure App Service will result in an exception being thrown at runtime (unless the application pool is configured to load a user profile). To avoid that, consider creating self-signed certificates and storing them in the X.509 certificates store of the host machine(s). Please refer to: https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html#registering-a-development-certificate

    https://docs.abp.io/en/abp/latest/Modules/OpenIddict#abpopeniddictaspnetcoreoptions

  • User Avatar
    0
    alin.berce created

    Basically this doesn't answer any of my questions.

    What would happen without redis specifically? Some settings not being updated to public? Any other performance related issues? Because from experience, with redis things can get worse in some cases if the redis server is not on the same hosting.

    Identity Server has been replaced with Openididict which instad of making things easier it makes things more dificult when publishing on other hosts than Azure. What happens on IIS where there's no access to install certs on machine? Are you saying that one can configure application pool to load a user profile and use AddDevelopmentEncryptionAndSigningCertificate in production?

    So at this point beside abp running one needs to have Redis available, needs to have access to add self signed certificates and this mostly translates into the need of using Azure. But what if you have a small project? What if you don't want to use Azure?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    What would happen without redis specifically?

    The data in Web and WebPublic may be inconsistent.

    For example, the Web changes the cache, but WebPublic cannot know.

    If Redis is disabled, Web Public will frequently get data from the Web and cause performance problems.


    You can create a certificate and put in the application directory.

    The latest template already did this.

    dotnet dev-certs https -v -ep authserver.pfx -p 2D7AA457-5D33-48D6-936F-C48E5EF468ED
    
    public override void PreConfigureServices(ServiceConfigurationContext context)
    {
        var hostingEnvironment = context.Services.GetHostingEnvironment();
        var configuration = context.Services.GetConfiguration();
    
        if (!hostingEnvironment.IsDevelopment())
        {
            PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
            {
                options.AddDevelopmentEncryptionAndSigningCertificate = false;
            });
    
            PreConfigure<OpenIddictServerBuilder>(builder =>
            {
                builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration));
                builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment, configuration));
                builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]));
            });
        }
    }
    
    private X509Certificate2 GetSigningCertificate(IWebHostEnvironment hostingEnv, IConfiguration configuration)
    {
        var fileName = "authserver.pfx";
        var passPhrase = "2D7AA457-5D33-48D6-936F-C48E5EF468ED";
        var file = Path.Combine(hostingEnv.ContentRootPath, fileName);
    
        if (!File.Exists(file))
        {
            throw new FileNotFoundException($"Signing Certificate couldn't found: {file}");
        }
    
        return new X509Certificate2(file, passPhrase);
    }
    
  • User Avatar
    0
    alin.berce created

    Thank you for your time.

    Related to redis, if both the Web and Web.Public are on the same server, should there be performance issues for small projects? I know that on older abp versions redis could have been disabled, but on newer ones, starting with abp 6.0 I think, is required even on local machine development. So, can it be disabled on abp 6+ completely for small projects?

    Secondly, let me see if I get this right

    • first use dotnet command to generate the certificate
    • copy the generated file on the application directory (any particular place to copy it?)
    • use the file from GetSigningCertificate This should make it work without the need to add the self signed certificates to azure/iis correct?
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    So, can it be disabled on abp 6+ completely for small projects?

    We recommend using Redis, but you can try to disable it in web and webpublic. I'm not sure if there will be any impact in the future, because we will assume that they will use Redis..

    This should make it work without the need to add the self signed certificates to azure/iis correct?

    The pfx file will be: Path.Combine(hostingEnv.ContentRootPath, "authserver.pfx")

    FROM mcr.microsoft.com/dotnet/aspnet:7.0 AS base
    COPY bin/Release/net7.0/publish/ app/
    WORKDIR /app
    
    FROM mcr.microsoft.com/dotnet/sdk:7.0 AS build
    WORKDIR /src
    RUN dotnet dev-certs https -v -ep authserver.pfx -p 2D7AA457-5D33-48D6-936F-C48E5EF468ED
    
    FROM base AS final
    WORKDIR /app
    COPY --from=build /src .
    
    ENTRYPOINT ["dotnet", "MyCompanyName.MyProjectName.AuthServer.dll"]
    
  • User Avatar
    0
    alin.berce created

    Thank you for your explanation.

    I see in the abp docs that there is a mention that by default it uses memory cache. If both the public web and web are on the same server (web on a subfolder), shouldn't caching still be working using memory cache and no need for redis in this case?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The Distributed Memory Cache isn't an actual distributed cache. Cached items are stored by the app instance on the server where the app is running.

    https://learn.microsoft.com/en-us/aspnet/core/performance/caching/distributed?view=aspnetcore-7.0#distributed-memory-cache

Made with ❤️ on ABP v9.1.0-preview. Updated on December 05, 2024, 12:19