Hi @Siegfried Heintze ,
Thanks for reaching out and apologies for delay in response.
Please find my response inline.
- I'm having troubles understanding how to make AddMicrosoftIdentityWebAppAuthentication read the clientid and app secrets from the azure key vault instead of the appsettings.json file. I believe these should not be stored in the appsettings.json file when running in Azure ... Correct?
Your understanding is correct here that storing the client secret in application’s configuration file is not secured and that you are looking for alternative to store client id and client secret in more secure way.
There are two ways to avoid client secret in application file:
a.Use the user secrets feature in ASP.NET Core
ASP.Net provide ASPNETCORE_ENVIRONMENT which can be set in launchsettings.json file based on different environment(Development,Staging,Production) whose values are stored locally or in the operating system. Another way is to use secret manager to manage credentials locally.
b.Use certificates instead of app secrets
Instead of a client secret, you can provide a client certificate stored in Azure Key Vault and Certificate configuration is added to the AzureAdB2C appsettings.json file
"ClientCertificates": [
{
"SourceType": "KeyVault",
"KeyVaultUrl": "https://msidentitywebsamples.vault.azure.net",
"KeyVaultCertificateName": "MicrosoftIdentitySamplesCert"
}
]
and make AddMicrosoftIdentityWebAppAuthentication to retrieve credentials from Azure Key Vault in the same way.
2.I've been studying the sample code for using managed identities for Azure resources but I don't see them calling the function AddMicrosoftIdentityWebAppAuthentication. I would like to continue using AddMicrosoftIdentityWebAppAuthentication to fetch the secrets now stored in the Azure Key Vault and previously stored in the appsetttings.json file. Is this possible? (After reading about using environment variables I'm guessing this is possible because there is a way to read the values from environment variables instead of appsetttings.json).
Manage Identities allow you to manage credentials on their own if your application has been deployed on Azure. You can enable Managed Service Identity and add the Azure App service’s service principal to Azure Key Vault. MSI allows to generate service principal on associated Azure service itself. It means you don’t need to store client Id and client secret anymore. Azure AD works directly with your Azure App Service.
Ref docs: https://learn.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview
3.Regardless, I would like to also consider an alternative approach: How can I abandon AddMicrosoftIdentityWebAppAuthentication in favor of reading discrete values (like the clientID) from the azure key vault so they can be used by MSAL to authenticate my users?
Additionally, if you do not want to use applicationSettings.json file but rather environment variables or KeyVault for storing the secrets, then one way to do is to use AddAuthentication followed by a different override of AddMicrosoftIdentityWebApp which takes delegates:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(microsoftIdentityOptions=>
{
options.ClientId = GetClientIdFromEnvironmentVariable();
options.TenantId = GetTenantIdFromEnvironmentVariable();
options.ClientSecret = GetClientSecretFromKeyVault();
/// etc ...
})
If you are looking to make AddMicrosoftIdentityWebAppAuthentication read from the key vault and don’t want to make any additional changes, then storing client certificate is the possible approach to avoid exposing secrets in your application.
Hope this will helps.
Thanks,
Shweta
------------------------------------------------------
Please remember to "Accept Answer" if answer helped you.