search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.57k stars 4.83k forks source link

[FEATURE REQ] New ProtectKeysWithAzureKeyVault Extension Method #37903

Open nquandt opened 1 year ago

nquandt commented 1 year ago

Library name

Azure.Extensions.AspNetCore.DataProtection.Keys

Please describe the feature.

Requiring an extensions method to configure the keyIdentifier via ServiceProvider. I inject the key identifier into DI and require a way to retrieve it in order to setup ProtectKeysWithAzureKeyVault

ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder,  Func<IServiceProvider, string> keyIdentifierFactory, Func<IServiceProvider, TokenCredential> tokenCredentialFactory)

https://github.com/Azure/azure-sdk-for-net/blob/8a3d98d860ab9586f6062a5d7f06b48ba876d6f6/sdk/extensions/Azure.Extensions.AspNetCore.DataProtection.Keys/src/AzureDataProtectionKeyVaultKeyBuilderExtensions.cs#L30

jsquire commented 1 year ago

Hi @nquandt. Thank you for reaching out and for your suggestion. Can you help us understand the end-to-end scenario?

Since DI and data projection registrations both operate on the same IServicesCollection they typically are done in the same scope. I'm not sure that I follow why would you need to register the identifier and then retrieve it at some indeterminate point in the future rather than providing it to both data protection and DI when registering. Likewise, why would you need to defer creating the credential?

github-actions[bot] commented 1 year ago

Hi @nquandt. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

nquandt commented 1 year ago

I get my identifier from a config map in kubernetes.. and currently the way I load that setting into my app is via an "Options" object in my DI container. I currently have a work around where I BuildServiceProvider() before I do the DataProtection setup, but this seems weird.

jsquire commented 1 year ago

Thank you for the additional context, @nquandt. Forgive me, but I'm not sure that I'm following the flow of what that looks like. Would you be able to share a code snippet showing how you're initializing DI and registering data protection?

github-actions[bot] commented 1 year ago

Hi @nquandt. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

github-actions[bot] commented 1 year ago

Hi @nquandt, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

nquandt commented 1 year ago

Sorry I've been slow to respond.

I have an object injected into my DI container that holds my key vault information. (this gets injected based on some environment variables set in a kube deploy)..

So basically I am just looking for a simple way of setting the keyIdentifier based on data in the di container.

services.AddDataProtection()
                .ProtectKeysWithAzureKeyVault((sp) => $"{sp.GetRequiredService<MyKVOptions>().Url}/keys/dataprotection/", 
                (sp) => {
                    var kvOptions = sp.GetRequiredService<MyKVOptions>();
                    return new ClientSecretCredential(kvOptions.TenantId, kvOptions.ClientId, kvOptions.ClientSecret);
                });

Also some extra context, I use AzureKeyVault in other ways throughout my application, just not for DataProtection.. so thats why I have that object with my settings I can pass around to other services.

jsquire commented 11 months ago

@JoshLove-msft : Please include this in the discussion of the use of factories in our extensions packages. Thanks!

jsquire commented 9 months ago

@AlexanderSher: Since you're looking into Extension package feature requests, please include this one as well.

annelo-msft commented 1 month ago

Evaluating whether this can be addressed as part of https://github.com/Azure/azure-sdk-for-net/issues/46671