How to call AddMicrosoftIdentityWebAppAuthentication when using Certificates to grant access to Azure Key Vault Secrets

Siegfried Heintze 1,861 Reputation points
2022-02-15T19:20:52.523+00:00

I would like to enhance the Blazor B2C Example (line 29) and ASP.NET Razor B2C Example (line 44) to be candidates for running in Azure App Service (as a Web App) and Azure Kubernetes.

I'm having troubles understanding how to make AddMicrosoftIdentityWebAppAuthentication read the clientid and app secrets from the azure key vault instead of the appsettings.json file. I believe these should not be stored in the appsettings.json file when running in Azure ... Correct?

I've been studying the sample code for using managed identities for Azure resources but I don't see them calling the function AddMicrosoftIdentityWebAppAuthentication. I would like to continue using AddMicrosoftIdentityWebAppAuthentication to fetch the secrets now stored in the Azure Key Vault and previously stored in the appsetttings.json file. Is this possible? (After reading about using environment variables I'm guessing this is possible because there is a way to read the values from environment variables instead of appsetttings.json).

If so, can someone show me an example using Managed Identities to make AddMicrosoftIdentityWebAppAuthentication read the necessary values (clientID, app secret etc..) from Azure Key vault instead of appsetttings.json?

Regardless, I would like to also consider an alternative approach: How can I abandon AddMicrosoftIdentityWebAppAuthentication in favor of reading discrete values (like the clientID) from the azure key vault so they can be used by MSAL to authenticate my users?

2022 Feb 18 Fri update:

This web page is driving me nuts! This is the third time I'm typing this update in...

I see that this WebApplication.CreateBuilder(args) function has a lot of cool features including the ability to facilitate storing secrets in the azure key vault.

How can I use these features in this sample code to fetch secrets from the key vault? Looks like I can call AddOpenIdConnect instead of AddMicrosoftIdentityWebAppAuthentication . I was hoping there was a nice way to make AddMicrosoftIdentityWebAppAuthentication read from the key vault instead of the appsettings.json file. Is this possible?

2022 Feb 28 Mon Morning update:

Over the weekend I added several comments (questions actually) to ShwetaMathur's response. They were concerning how to create certificates for two different purposes: implementing HTTPS/SSL and allowing the Azure web app access to key vault secrets. Can everyone see those? Do I need to convert those to updates on this post so everyone can see them? I did not intend them to be private... I am adding some more tags to cover all my follow on questions.

Also, I created a related query on how to use Service Principals instead of certificates to grant an Azure WebApp access to Key Vault secrets while waiting for updates from ShwetaMathur and others...

Thanks

Siegfried

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,115 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,876 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,467 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 27,456 Reputation points Microsoft Employee
    2022-02-25T11:53:44.247+00:00

    Hi @Siegfried Heintze ,

    Thanks for reaching out and apologies for delay in response.

    Please find my response inline.

    1. I'm having troubles understanding how to make AddMicrosoftIdentityWebAppAuthentication read the clientid and app secrets from the azure key vault instead of the appsettings.json file. I believe these should not be stored in the appsettings.json file when running in Azure ... Correct?

    Your understanding is correct here that storing the client secret in application’s configuration file is not secured and that you are looking for alternative to store client id and client secret in more secure way.

    There are two ways to avoid client secret in application file:
    a.Use the user secrets feature in ASP.NET Core
    ASP.Net provide ASPNETCORE_ENVIRONMENT which can be set in launchsettings.json file based on different environment(Development,Staging,Production) whose values are stored locally or in the operating system. Another way is to use secret manager to manage credentials locally.
    b.Use certificates instead of app secrets
    Instead of a client secret, you can provide a client certificate stored in Azure Key Vault and Certificate configuration is added to the AzureAdB2C appsettings.json file 

       "ClientCertificates": [  
      {  
        "SourceType": "KeyVault",  
        "KeyVaultUrl": "https://msidentitywebsamples.vault.azure.net",  
        "KeyVaultCertificateName": "MicrosoftIdentitySamplesCert"  
      }  
   ]

    and make AddMicrosoftIdentityWebAppAuthentication to retrieve credentials from Azure Key Vault in the same way.

    2.I've been studying the sample code for using managed identities for Azure resources but I don't see them calling the function AddMicrosoftIdentityWebAppAuthentication. I would like to continue using AddMicrosoftIdentityWebAppAuthentication to fetch the secrets now stored in the Azure Key Vault and previously stored in the appsetttings.json file. Is this possible? (After reading about using environment variables I'm guessing this is possible because there is a way to read the values from environment variables instead of appsetttings.json).

    Manage Identities allow you to manage credentials on their own if your application has been deployed on Azure. You can enable Managed Service Identity and add the Azure App service’s service principal to Azure Key Vault. MSI allows to generate service principal on associated Azure service itself. It means you don’t need to store client Id and client secret anymore. Azure AD works directly with your Azure App Service.
    Ref docs: https://learn.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview

    3.Regardless, I would like to also consider an alternative approach: How can I abandon AddMicrosoftIdentityWebAppAuthentication in favor of reading discrete values (like the clientID) from the azure key vault so they can be used by MSAL to authenticate my users?

    Additionally, if you do not want to use applicationSettings.json file but rather environment variables or KeyVault for storing the secrets, then one way to do is to use AddAuthentication followed by a different override of AddMicrosoftIdentityWebApp which takes delegates: 

    services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)  
             .AddMicrosoftIdentityWebApp(microsoftIdentityOptions=>  
             {  
               options.ClientId = GetClientIdFromEnvironmentVariable();  
               options.TenantId = GetTenantIdFromEnvironmentVariable();  
               options.ClientSecret = GetClientSecretFromKeyVault();  
               /// etc ...                
             })

    If you are looking to make AddMicrosoftIdentityWebAppAuthentication read from the key vault and don’t want to make any additional changes, then storing client certificate is the possible approach to avoid exposing secrets in your application.

    Hope this will helps.
    Thanks,
    Shweta

    ------------------------------------------------------

    Please remember to "Accept Answer" if answer helped you.