Azure Ad cant remove Client secret key

Azure / azure-libraries-for-net

Azure libraries for .Net

MIT License

378 stars 192 forks source link

Azure Ad cant remove Client secret key #965

Open andtii opened 4 years ago

andtii commented 4 years ago

Describe the bug The api to remove key doesent work

To Reproduce Trying to delete a client secret key that is about to expire by c# code

Code Snippet app.Update() .WithoutCredential(key) .Apply();

Expected behavior No exceptions after the code run but the key is not deleted

Screenshots If applicable, add screenshots to help explain your problem.

Setup (please complete the following information):

OS: [e.g. iOS] Windows 10
IDE : [e.g. IntelliJ] Visual Studio 2019
Version of the Library used 1.30.0

yaohaizh commented 4 years ago

@weidongxu-microsoft please help take a look into this issue. Thanks.

weidongxu-microsoft commented 4 years ago

Currently there is no 1.6 graphrbac REST found which returns the displayName of password credential.

https://graph.windows.net/###/applications?api-version=1.6
https://graph.windows.net/###/applications/###/passwordCredentials?api-version=1.6

    {
      "customKeyIdentifier": null,
      "endDate": "2021-02-10T02:31:44.302Z",
      "keyId": "#########",
      "startDate": "2020-02-10T02:31:51.068Z",
      "value": null
    }

Portal is using this, which is not in spec.

https://graph.windows.net/myorganization/applicationsByAppId/###?api-version=2.0

        {
            "customKeyIdentifier": null,
            "endDate": "2021-02-10T02:31:44.302Z",
            "keyId": "#########",
            "startDate": "2020-02-10T02:31:51.068Z",
            "value": null,
            "createdOn": "2020-02-10T02:31:50.7512484Z",
            "hint": "L0G",
            "displayName": "testpassword"
        }

Service team, please advice.

weidongxu-microsoft commented 4 years ago

@andtii On current investigation displayName (Description in portal) is not available in current REST spec. This might not get fixed very soon.

So currently from REST API, we can only distinguish the password credentials by startDate and endDate. An alternative (not pretty) approach is to iterate through app.PasswordCredentials, find the Name (actually = keyId above) by certain EndDate criteria, and use that Name to delete.

andtii commented 4 years ago

@weidongxu-microsoft The issue i have is not about the displayName. its about that when i try to delete the key using app.Update() .WithoutCredential(key) .Apply(); Nothing happens. It doesn't delete my key.

weidongxu-microsoft commented 4 years ago

@andtii I know. The problem to SDK is that service REST API does not return anything SDK can distinguish (sample JSON response attached below), hence SDK cannot do anything about it right now.

That is the reason when you do WithoutCredential(key) nothing happens, because there is nothing to know which key is which. Of course if you know the keyId, you can use it as WithoutCredential(keyId). But I doubt it, hence the discusstion on displayName.

That is the reason we are asking service team to check.

    {
      "customKeyIdentifier": null,
      "endDate": "2021-02-10T02:31:44.302Z",
      "keyId": "#########",
      "startDate": "2020-02-10T02:31:51.068Z",
      "value": null
    }