Home > Deployment > ASP.NET Core Data Protection

ASP.NET Core Data Protection

Duende IdentityServer relies on the built-in data protection feature of ASP.NET for

protecting signing keys at rest (if automatic key management is used and enabled)
protecting persisted grants at rest (if enabled)
protecting server-side session data at rest (if enabled)
protecting the state parameter for external OIDC providers (if enabled)
protecting message payloads sent between pages in the UI (e.g. logout context and error context).
session management (because the ASP.NET Core cookie authentication handler requires it)

It is crucial that you setup ASP.NET Core data protection correctly before you start using your IdentityServer in production. Please consult the Microsoft documentation for more details.