question

urig-4223 avatar image
0 Votes"
urig-4223 asked PeterBckgren-5066 commented

How to fix "The policy requires the caller '...' to use on-behalf-of (OBO) flow" when accessing Key Vault from App Service?

I have an ASP.net Core 3.1 application running in an Azure App Service. Having started using Azure Key Vault to store connection strings and other secrets for the app, the app is now crashing with an "HTTP Error 500.30 ANCM In-Process Start Failure" error page.

Below is the code that seems to be triggering this. Having disabled it, the app goes back to normal (albeit without Key Vault integration).

 var builtConfig = config.Build();
 var vaultUrl = $"https://{builtConfig["KeyVaultName"]}.vault.azure.net/";
 var azureServiceTokenProvider = new AzureServiceTokenProvider();
 var keyVaultClient = new KeyVaultClient(
     new KeyVaultClient.AuthenticationCallback(
         azureServiceTokenProvider.KeyVaultTokenCallback));
 config.AddAzureKeyVault(
     vaultUrl,
     keyVaultClient,
         new DefaultKeyVaultSecretManager());


I've searched the Azure Portal up and down and finally managed to find something meaningful in the App Service's list of .NET Core Startup Failures (hidden under App Service > Diagnose and Solve Problems > Web App Down > View .NET Startup Failures):


 Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: The policy requires the caller 
 'appid=<redacted>;oid=<redacted>;iss=https://sts.windows.net/<readacted>/' to use on-behalf-of (OBO) 
 flow. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287


I have no need for the on-behalf-of flow. I did originally define the Key Vault access policy to include both the app's oid and its appid by mistake. I have since remedied by removing the access policy and recreating it without the appid.

My question is - Why am I still getting this error and how can I fix it?









azure-key-vaultazure-webapps-development
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

eldargr avatar image
0 Votes"
eldargr answered PeterBckgren-5066 commented

Seems to be working for us, thanks

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Spent two days getting all kinds of weird error messages because I added authorized application this time when I had to do everything from scratch. Not a lot of good google answers when you are tracking down the "The policy requires the caller ... to use on-behalf-of (OBO) flow" for instance.

0 Votes 0 ·
MarileeTurscak-MSFT avatar image
3 Votes"
MarileeTurscak-MSFT answered VemuleswaraRaoJammula-7764 commented

It is most likely a policy specific to your Azure environment that is causing this.

Please double-check any existing policies and secrets and make sure that you do not have an "Authorized application" selected in any of them, and use a service principal to access the secret rather than an application.



image.png (26.7 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This was exactly the problem I had. I did not realise that there's no need to have an authorized application when the principal is that application itself.

1 Vote 1 ·

Thanks for sharing @IanKemp-8973 ! @urig-4223 , were you able to get this resolved?

0 Votes 0 ·

I did face this issue and the above step solved it.

0 Votes 0 ·