We're facing a problem is that we want to install the same ASP.Net Core WebApp in multiple locations and route users using traffic managers but if we do that, we get issues because the authentication tokens get stored in one server and the user may access another one.
I read that we can use Azure BlobStorage to share the keys, can someone please describe how?
We use openiddict for API login but I think that this doesn't affect the issue if we can use Azure BlobStorage for key storage.
Thank you
As indicated in the documentation, you must reference the Microsoft.AspNetCore.DataProtection.AzureStorage package and use PersistKeysToAzureBlobStorage() to register the Azure Blob Storage key repository:
public void ConfigureServices(IServiceCollection services)
{
services.AddDataProtection()
.PersistKeysToAzureBlobStorage(new Uri("<blob URI including SAS token>"));
}
Related
I am working on an app developed using Xamarin Forms. The app connects to a container on Azure to read a couple of text files. The text files don't contain any confidential or secret information, just some publicly available information that the app uses.
I am able to connect to the storage container and read the blob without issue however I am readying the app for release to the App store and Google Play store so was following this guide around using Shared Access Keys to connect to Azure.
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
To be honest, I am a bit confused as to which approach I should use. The app itself will be connecting to the container and reading the blob, so it won't be an actual "user" as such like joeB, or JaneB. That makes me think a user delegated SAS is not the way to go, although the documentation seems to suggest this is the most secure option.
I also noticed the user delegated sas token itself expires after a period of time and the app started crashing when trying to autheticate/connect. I am not sure if that is also the case with a service SAS and account SAS.
Basically, for my use case (an app reading a text file in a container in Azure), which is the best option for me to use based on those listed in the link above? Has anyone else done something similar? If so, how did you secure your connection string?
Thanks!
I setup a static web site in azue storage, is it possible to control who have access to that website, I have read a couple of question here but I can't get my head around it.
let's say, I work in company new_KFC, all I want is only user1#new_KFC.com user2#new_KFC.com get access, all other user when they try to access the website, get error
we are already using azure active directory
Static websites are public access only. However, you can can build a separate authentication layer that protects your data through AAD Authentication using ADAL and Storage JS libraries. See a demo of a similar SPA from the last //build session:
https://channel9.msdn.com/Events/Build/2018/BRK3313
Please also provide your feedback here: https://feedback.azure.com/forums/217298-storage/suggestions/36453091-enable-authorization-to-the-azure-static-websites so that we understand your feedback/demand for this feature.
Thanks,
Aung Oo
Azure Storage PM Team
I created Managed Application for Azure Marketplace. And I use some secret data during deploy app to user subscription. Is it secure putting this data to file mainTemplate.json? And if not, what variants exists?
Try this: https://learn.microsoft.com/en-us/azure/managed-applications/key-vault-access
The template files for a managed app in the marketplace are only secured by obscurity (you need to guess at what the URL is (and it contains a guid)). So for added security, put the secrets in KV and reference them from there.
not a good practice. Instead use Azure key vault as per your scenario.
Refer : https://learn.microsoft.com/en-us/azure/key-vault/key-vault-whatis
I am working in an Azure Storage Static Website. This website is publicly available and is intended to perform operations against Azure Storage (manage multimedia - crud actions). I am afraid that since it is a client-side app, anybody can use the code to perform unintended operations against the storage account. Any thoughts how can i protect the app against this? Also i am looking for a solution to avoid hardcoded keys/SAS tokens to have permission for the operations against the storage account. I was thinking about using the managed service identity. Anyone had experience with it, since it is in preview mode?
You should definitely not put keys or SAS tokens client-side. As you say, anybody can obtain this and get access to the storage account. One solution is to use an HTTP-triggered serverless function to generate a SAS token as needed. Then you can issue a time-limited SAS to only the resources you want to be publicly accessible. The below tutorial shows how to do this.
https://learn.microsoft.com/en-us/azure/functions/tutorial-static-website-serverless-api-with-database
The static website endpoint is strictly read only. So the client will not be able to change the content of the website.
Currently static website is anonymous access. "add oauth" will be added soon. For read access, once the site is enabled, it'll be available to all public.
Currently we don't have oauth support. Anybody can read the content of the website as long as they have the uri
I'm trying to publish my web app from VS without no downtime. If you search in Google, you find the official documentation speaking about using slots and do a swap later.
This is a good approach, but I have other problem when I do the swap, logins are lost (look this question: link).
Relevant information in the link:
Session is not linked to Authentication, you're attempting to solve it in the wrong way.
All forms authentication tickets and cookies are encrypted and signed using the data protection layer. The problem you are encountering is due to the encryption keys not being saved, and applications being isolated from each other.
How can I do that? In AWS I had rolling updates...
For more information, I'm using ASP.NET Core with Identity 3.0
Thanks!!
What you're seeing is an azure limitation right now. While Azure Web Sites will share the key ring it sees swap slots as separate applications.
There are a couple of things to try.
First, set a common application name. This will help because every application which shares the keyring is isolated by default; but if they share the application name they can share keys
public void ConfigureServices(IServiceCollection services)
{
services.AddDataProtection();
services.ConfigureDataProtection(configure =>
{
configure.SetApplicationName("my application");
});
}
If that's not enough for azure (I am honestly unsure if hot swaps end up using Azure Web App's shared key folder) you can combine that with using Azure Data Tables for storing the encryption keys - https://github.com/GrabYourPitchforks/DataProtection.Azure/tree/dev
Between those two it should get the encryption keys used to protect identity cookies shared between your apps.
I found a fork for aspnet core 1.0, for those interested:
https://github.com/prajaybasu/DataProtection.Azure/tree/dev/DataProtection.Azure
just like the other one, it stores encryption keys on an azure storage account.
It completely solved my problem.
Starting from blowdart's solution I solved my issue, so thanks.
Andrea
Are you using in-memory session state?
The problem with 'logins' being 'lost' is an architecture issue, not an issue with updating your web app.
Use something like RedisCache for session state. Not only will it persist when you update your application, but it will handle load-balancing on multiple server instances. As it sits you'll probably have this issue when you scale out to more than one server, in addition to when you update your app.