I use IdentityServer to manage access to a few client APIs with the configuration details stored in SQL. The one downside to using IdentityServer is that there doesn’t yet seem to be a good option for administration of credentials, though Skoruba.IdentityServer4.Admin certainly looks promising.

In order to add new clients I therefore just insert into the underlying SQL tables, this is all pretty obvious apart from for the secrets tables (ApiSecrets, ClientSecrets) which take a hash of the secret, not the secret itself.

The value to be inserted is the SHA256 hash of your secret but this hash also needs to be Base64 encoded. This can be generated with the following SQL code from this stackoverflow answer.

DECLARE @HASHBYTES VARBINARY(128) = hashbytes('sha2_256', N'secret')
SELECT cast(N'' as xml).value('xs:base64Binary(sql:variable("@HASHBYTES"))', 'varchar(128)');


Karl Gjertsen · 26 April 2023 at 1:52 pm

This is not correct, as it produces the wrong result.

This uses a NVARCHAR, but needs to be a VARCHAR:
DECLARE @HASHBYTES VARBINARY(128) = hashbytes(‘sha2_256′, N’secret’)

You need to remove the N before the secret:
DECLARE @HASHBYTES VARBINARY(128) = hashbytes(‘sha2_256’, ‘secret’)

    Shinigami · 28 April 2023 at 6:39 pm

    Thanks, this worked for me previously as an NVARCHAR (though I haven’t used it recently) and the stackoverflow article I nabbed it from also used NVARCHAR so I’m guessing if it’s different for you then maybe it depends on the underlying column definition as to which should be used.

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *