We are using the email invite flow to get our users created in our Azure B2C. Currently we are reviewing our management of secrets in code and config, coming out of this work we are now using an Azure KeyVault.
Our ASP.Net website that previously had the cert loaded directly into the App Service is now referencing one in the key vault.
At the Azure B2C "Identity Experience Framework" end of the arrangement we have the “B2C_1A_IdTokenHintCert” policy key and that was created when we uploaded the certificate into Azure B2C. This breaks the approach of centralising the management of our certificates with KeyVault.
Is there a way of using KeyVault for the Custom Policy configuration?
In your particular scenario, you can expose your own metadata endpoint for id token hint validation in your App. That is what the sample does by default:
https://github.com/azure-ad-b2c/id-token-builder
You might then look for a way to reference the cert via key vault instead of uploading the cert to the app service. Eg reading the cert in your app via keyvault api.
https://learn.microsoft.com/en-us/rest/api/keyvault/#certificate-operations
Related
Could anyone provide some instruction on how you would go about assigning a Managed Service Identity to a Remotely-hosted Web app?
My application is registered in AAD to enable the use of authentication. I want to remove the appSecret from appsettings and store that in the KeyVault and access the KeyVault using the MSI.
I have looked at the MS docs and followed a few guides, but have not, as of yet, managed to successfully retrieve my secret.
In the first instance, I just wanted to store a secret and get that back, and once that was working, get the client secret using the same approach.
Managed identity only works when you host your app in Azure.
This is because it works as a local endpoint inside the Azure instances.
Let me give some details of my setup
I am building an asp.net core API app being hosted on Azure. I store my secret keys and stuff in azure keyvault. However, I have some AzureAddClientId and secret which is now stored in appsettings.json( to access key vault ). I have also committed appsettings.json to my git repo. However I know that is insecure. I use Azure DevOps for releases. So I'm thinking of doing the following. Please let me know your thoughts on this.
add appsettings.json to git ignore and share the file among developers.
add AzureAddClientId and AzureAADClientSecret to azure DevOps build pipeline as variables. ( Will devops automatically take the variables just as if they were in appsettings.json? )
Please have a look at using Managed Identities.
A common challenge when building cloud applications is how to manage the credentials in your code for authenticating to cloud services. Keeping the credentials secure is an important task. Ideally, the credentials never appear on developer workstations and aren't checked into source control. Azure Key Vault provides a way to securely store credentials, secrets, and other keys, but your code has to authenticate to Key Vault to retrieve them.
The managed identities for Azure resources feature in Azure Active Directory (Azure AD) solves this problem. The feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.
Team,
I have recently migrated my azure classic portal resources to CSP subscription. I have successfully converted my azure cloud service to azure app website in the CSP subscription. But there is one thing i am not able connect. Its the third party API When we had the cloud service we had a .pfx uploaded to azure and in the code we use to create a uri which consists of the certifcate key + certificate secret key.
The certificate key is got directly from web.config. But the certificate secret key is got from EncryptedSettings.Appsettings("SecretKeyName").
This is basically got from the encrypted app setting done earlier by
https://eren.ws/2014/02/04/encrypting-the-web-config-file-of-an-azure-cloud-service/
But i am not sure what way should we implement on Azure website.
I have tried implementing the same but unfortunately it seems the secret key retrieval technique for cloud service is not the same as in the azure web app service.
When i debug the azure web site i can see that it gives the error as.
Failed to decrypt using provider ‘CustomProvider’. Error message from the provider: Value cannot be null.
Parameter name: keyObject
Can anyone please guide me ?
Rather than storing secrets in your config, you may wish instead to store them Azure KeyVault (which also gives you secret management capabilities etc) and then load the secrets at runtime.
KeyVault documentation:
https://learn.microsoft.com/en-us/azure/key-vault/
Specifically how to use keyvault with azure websites:
https://learn.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application
And these days, don't bother with manual authentication to use keyvault, instead use "Managed Service Identity", here's a tutorial:
https://azure.microsoft.com/en-gb/resources/samples/app-service-msi-keyvault-dotnet/
Interestingly the second tutorial does mention specifically using certificates for the purposes of authentication (against keyvault), you may wish to use this technique for yourself as a simplified way to get direct access to your certificate.
I am trying to grant permissions to my Web App/API type application in Azure directory to use Azure Key Vault.
When I Required Permissions> Add API Access > Select an API, then there I can't find Azure Key Vault. I remember it was there before but not now. Where I can find it?
Image:
https://ibb.co/dswdXq
Behavior shown in your image - Azure Key Vault missing from "Select an API" blade
I have seen the behavior your image shows for a new Azure subscription, only when there were no Key Vaults so far in the Azure subscription linked to that Azure Active Directory.
Once you create a new Key Vault (you don't even need to add any keys), "Azure Key Vault" shows up while adding permissions to your app registrations in Azure AD (same steps as your image). At least, that's how it worked in my case.
Special case worth mention
You can create multiple Azure AD's in your Azure subscription and register your applications in any of them. Azure Key Vault although works in a special way and is linked to only one Azure AD, this is the Azure AD that your Azure subscription trusts (Azure Subscription also trusts only one Azure AD). So you could also run into the behavior shown in your image if you're registering application in a different Azure AD than the one your Azure subscription trusts.
Granting permissions to your Web App/API to use Key Vault
In most cases it's not even required to do the steps you're showing in your image, just for a web application to be able to access key vault since that is controlled by Azure Key Vault access policies. #junnas has already explained this part very well so you can refer to that.
You can go to your Key Vault -> Access Policies -> Add, and create a new policy for the app.
Select the app as the principal, and give it the access you want.
You don't need to touch the Authorized application option.
You should then be able to acquire tokens for Key Vault using the client id and secret (or certificate).
Key Vault does not require that you assign it to an app, unless you wanted to do delegated access.
In fact any app can acquire a token for any API that exists as a service principal in your tenant (and Key Vault does).
Of course the token itself won't contain any permissions, but Key Vault has their own access management (access policies).
On my current project I work with TFS on-prem and I need to deploy resources in Azure.
With a service principal in Azure and an ARM service endpoint in TFS, everything works fine.
However now I get the requirement to secure the service principal with a certificate instead of a password. Creating a service principal with a certificate is almost as easy as with a password, but setting up the ARM service endpoint in TFS (also VSTS by the way) is not that easy.
One of the fields I have to fill in for the ARM service endpoint is the "Service Principal Key".
When creating the service principal with a certificate, I don't have that value (which typically is the password used to create the AD application).
Is it possible to create a TFS service endpoint using an Azure service principal based on a certificate?
We cannot create the ARM service endpoint based on a certificate, just as you mentioned we can only provide the "Service Principal Key".
However we can create Azure Classic service endpoint based on a certificate.
Management Certificate:
Required for Certificate based authentication. Copy the value of the
management certificate key from your publish settings XML file or the
Azure portal.