I am not able to retrieve a secret from azure key vault to a .net console app which runs in azure windows VM. Below is the code i have used and i have given service principal all permission in key vault.
var kvc = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(
async (string authority, string resource, string scope) => {
var authContext = new AuthenticationContext(authority);
var credential = new ClientCredential("App id, "secret identifier uri");
AuthenticationResult result = await authContext.AcquireTokenAsync(resource, credential);
if (result == null) {
throw new InvalidOperationException("Failed to retrieve JWT token");
}
return result.AccessToken;
}
));
Please reference this tutorial in the Microsoft documentation, where you can find the correct way to use Azure Key Vault inside a Windows VM, and using .NET. Note: In this solution, you will use Managed Service Identity, instead of the traditional Service Principal.
Related
I am using below code to refresh token in an AWS Cognito application configured with secret key. No matter which configuration I have tried it always causes common issue of unable to verify secret hash. The input parameters have been trippled checked and the login functionality works well. Can anyone advice on what is the issue with the below codeset.
public static async Task<AuthFlowResponse> GetRefreshAsync(string userName, string refreshToken)
{
AmazonCognitoIdentityProviderClient provider = new AmazonCognitoIdentityProviderClient(new AnonymousAWSCredentials(), FallbackRegionFactory.GetRegionEndpoint());
CognitoUserPool userPool = new CognitoUserPool(userPoolId, clientId, provider, clientSecret);
CognitoUser user = new CognitoUser(userName, clientId, userPool, provider, clientSecret);
user.SessionTokens = new CognitoUserSession(null, null, refreshToken, DateTime.Now, DateTime.Now.AddHours(1));
InitiateRefreshTokenAuthRequest refreshRequest = new InitiateRefreshTokenAuthRequest()
{
AuthFlowType = AuthFlowType.REFRESH_TOKEN_AUTH
};
return await user.StartWithRefreshTokenAuthAsync(refreshRequest).ConfigureAwait(false);
}
I am writing a program that tries to access a secret (OneAuthZAuthentication) to an Azure Table Storage through accessing KeyVault. I am following the steps listed in this tutorial: https://jeanpaul.cloud/2019/12/07/azure-key-vault-access-from-c/
I have created a Key Vault called ITALocalBuildSecrets:
With the following DNS Name: https://italocalbuildsecrets.vault.azure.net/
I also have another secret with the following name (OneAuthZAuthentication):
I have created an app in the active directory (OneAuthZUserApplication), and you can see the Application (client) ID displayed below:
I created a client secret for OneAuthZUserApplication:
I authorized a Console Application (OneAuthZUserApplication) as an access policy:
And you can clearly see the access policy being registered:
Below is the code I am running:
// Retrieves the access token necessary to gain authentication into the key vault
[FunctionName("GetToken")]
public static async System.Threading.Tasks.Task<string> GetToken(string authority, string resource, string scope)
{
var clientId = "5cf497b0-3467-456a-a03a-4d4414b*****"; // Stars are for security reasons :D
var clientSecret = "468.26i5Wc.nQ6TYL-eOvBmcto.t.*****"; // Stars are for security reasons
ClientCredential credential = new ClientCredential(clientId, clientSecret);
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var result = await context.AcquireTokenAsync(resource, credential);
return result.AccessToken;
}
// Retrieves the access key vault accountKey (needed to authenticate access into the role assignments table)
public static string GetVaultValue()
{
KeyVaultClient client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken));
var vaultAddress = "https://italocalbuildsecrets.vault.azure.net/";
var secretName = "OneAuthZAuthentication";
var secret = client.GetSecretAsync(vaultAddress, secretName).GetAwaiter().GetResult();
return secret.Value;
}
[FunctionName("Function1")]
// Function that reads a small portion of the role assignments table (OneAuthZRoleAssignments) every
// configurable number of times
public static async System.Threading.Tasks.Task RunAsync([TimerTrigger("%TimerTriggerPeriod%")]TimerInfo myTimer, ILogger log)
{
Console.WriteLine($"Secret Value from Vault is: {GetVaultValue()}");
}
I get the following error:
Function1. Microsoft.Azure.KeyVault: Operation returned an invalid status code 'Forbidden'.
This does seems strange, considering that I authorized the OneAuthZUserApplication application to the key vault.
I follow you steps and use your code to test, and it all works very well.
Please go to confirm after adding Access policy, remember to click save button.
What is the authority you are using? Further, I think you are missing the step of configuring scopes when getting the token. Similar here, but using MSAL.
string[] scopeArray = new string[] { "https://vault.azure.net/.default" };
And provide that to your token request.
Also, if these are Azure Functions, why don't you use the function MSI to retrieve the secret? See here
I have below Method to get a token from Azure using ClientID, TenantID and AADAppPassword
This is working awesome but now I need to switch to different AAD AppID and use Certificate Thumbprint Or Certificate pfx.
I don't want to change my 1000+ lines of code.
Can someone help me get a token the same way I'm getting using below Method but use Certificate Thumbprint instead and which returns token so that I can call the method right before I'm about to make rest API call.
public static async Task<string> GetAccessToken(string tenantId, string clientId, string clientKey)
{
string authContextURL = "https://login.windows.net/" + tenantId;
var authenticationContext = new AuthenticationContext(authContextURL);
var credential = new ClientCredential(clientId, clientKey);
var result = await authenticationContext
.AcquireTokenAsync("https://management.azure.com/", credential);
if (result == null)
{
throw new InvalidOperationException("Failed to obtain the JWT token");
}
string token = result.AccessToken;
return token;
}
You must use ClientAssertionCertificate instead of ClientCredential
X509Certificate2 cert = ReadCertificateFromStore(config.CertName);
certCred = new ClientAssertionCertificate(config.ClientId, cert);
result = await authContext.AcquireTokenAsync(todoListResourceId, certCred);
You may refer the Azure AD v1 Sample for this.
MSAL.NET is now the recommended auth library to use with the Microsoft identity platform. No new features will be implemented on ADAL.NET. The efforts are focused on improving MSAL. You can refer the documentation here if you are planning to migrate applications to MSAL.NET
I'm using the following code to upload to my image container in my Azure storange account. The connection string in app.config is:
<appSettings>
<add key="StorageConnectionString" value="MyConnectionString" />
</appSettings>
CloudStorageAccount storageAccount = CloudStorageAccount.Parse
CloudConfigurationManager.GetSetting("StorageConnectionString"));
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
// Retrieve reference to a previously created container.
CloudBlobContainer container = blobClient.GetContainerReference("imagestorage");
// Retrieve reference to a blob named "myblob".
CloudBlockBlob blockBlob = container.GetBlockBlobReference("IMG1.png");
// Create or overwrite the "myblob" blob with contents from a local file.
using (var fileStream = System.IO.File.OpenRead(#"D:\Untitled.png"))
{
blockBlob.UploadFromStream(fileStream);
}
Question is how do I intergrate Azure Key Vault into my native application so that my API keys will not be compromised by some annoying reverse engineers?
I've registered my app in Azure Active Directory and given permissions for Azure Key Vault.
Also, who ever tries to use my native desktop app has to log in to my ASP.NET Web API app with Individual Accounts and receive a token, before using any other features. All of my controllers require authorization.
I believe what you're trying to do is integrate your Azure KeyVault with your C# Application. You can do this my using 2 API. One being the Microsoft.Azure.KeyVault and the other being ADAL.
Following these steps may get you answer:
public async Task<string> GetToken(string authority, string resource, string scope)
{
var authContext = new AuthenticationContext(authority);
ClientCredential clientCred = new ClientCredential(ConfigurationManager.AppSettings["ClientID"], ConfigurationManager.AppSettings["ClientSecret"]);
AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);
if(result == null)
{
throw new InvalidOperationException("Failed to obtain the JWT Token");
}
Console.WriteLine("Retrieved Password");
return result.AccessToken;
}
And then get the value of what you're trying to return by running this:
public async Task getvaluesAsync()
{
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken));
var sec = await kv.GetSecretAsync(ConfigurationManager.AppSettings["SecretURI"]);
EncryptSecret = sec.Value;
}
Replace the appropriate values of ClientID, Client Secret and SecretURI with your values in the App.config file. Use a getter and setter method with the "EcryptSecret" by doing something like,
public static string EncryptSecret { get; set; }
This will continuously store the password / DB connections for further use.
A few helpful articles would be:
https://learn.microsoft.com/en-us/azure/key-vault/key-vault-developers-guide
I am referring to Multitenant-saas-app sample. I am trying to get an access token to access Graph API and then get access token silently and access the graph api again.
Get Authorisation Code with /common endpoint for the multi-tenant-app,
private string resourceID = "https://graph.windows.net";
string authorizationRequest = String.Format(
"https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id={0}&resource={1}&redirect_uri={2}&state={3}",
Uri.EscapeDataString(ConfigurationManager.AppSettings["ida:ClientID"]),
Uri.EscapeDataString("https://graph.windows.net"),
Uri.EscapeDataString(this.Request.Url.GetLeftPart(UriPartial.Authority).ToString() + "/Onboarding/ProcessCode"),
Uri.EscapeDataString(stateMarker)
);
return new RedirectResult(authorizationRequest);
Redirected with authorisation code, (/Onboarding/ProcessCode)
ClientCredential credential = new ClientCredential(ConfigurationManager.AppSettings["ida:ClientID"],
ConfigurationManager.AppSettings["ida:Password"]);
AuthenticationContext authContext = new AuthenticationContext("https://login.windows.net/common/");
//Get token to access grapgh API
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
code, new Uri(Request.Url.GetLeftPart(UriPartial.Path)), credential, resourceID);
AuthenticationHelper.token = result.AccessToken;
This works fine and I get the access token where I can access the AzureAD resources for the tenant.
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
IPagedCollection<IUser> pagedCollection = await client.Users.ExecuteAsync();
Now I try to get get the token for offline access from the token cache. This time I create AuthenticationContext for the tenant. (I tried /common as well)
This gets me a new accesstoken silently.
string resourceID = "https://graph.windows.net";
//Test
ClientCredential credential = new ClientCredential(ConfigurationManager.AppSettings["ida:ClientID"],
ConfigurationManager.AppSettings["ida:Password"]);
AuthenticationContext authContext = new AuthenticationContext("https://login.microsoftonline.com/mytenant.net");
var auth = await authContext.AcquireTokenAsync(resourceID, credential);
var newToken = auth.AccessToken;
//Set the token for this session
AuthenticationHelper.token = auth.AccessToken;
Then I try to access the API as previous,
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
IPagedCollection<IUser> pagedCollection = await client.Users.ExecuteAsync();
and I get the following exception,
Error = "Authorization_RequestDenied": "Insufficient privileges to
complete the operation."
Am I doing anything wrong here?
Here is my app permissions,
To list the users using the Azure AD graph REST, we require the Read all users' basic profile or Read all users' full profiles if you were not a global admin in the tenant.
And if you were the Global Admin in the tenant, the Access the directory as the sign-in user should also work to list users rest API.
And more detail about the scopes about Azure AD graph, you can refer here.
And for the cache issue, since you didn't provide custom cache, it would use the default cache based on the platform. For example, if you were developing an .Net application, the cache is using the memory to store the object. So it only works before you restart the application.