Open ndebata opened 3 years ago
@ndebata. I'm assuming that this is for certificate credentials (not decrypt certificates): If you use the certificate description configuration properties, Microsoft.Identity.Web will retry automatically fetching a new certificate version from KeyVault if a certificate expired. See https://github.com/AzureAD/microsoft-identity-web/wiki/Certificates#describing-client-certificates-to-use-by-configuration
Does this work for you? or do you need more fine grain control?
@jmprieur Thank you for your answer. We are using client secret instead of certificates and configurations are loaded from configuration service using custom configuration provider which reads it from key vault. IOptionsMonitor
@ndebata: you can configure the options like this from Startup.cs.
services.Configure<ConfidentialClientApplicationOptions>(OpenIdConnectDefault.AuthenticationScheme, options =>
{
options.ClientSecret = "";
});
Where do you want to do that? from a controller/page?
This way secret will be initialized once during application start, looking for an option when application is running. Once configuration changes secrets are refreshed and I can see the updated value using IOptionsMonitor
@ndebata. I think that we'd need to add listeners to the IOptionMonitor of MicrosoftIdentityOptions
and ConfidentialClientApplicationOptions
so that we update the (internal) MergeOptions
when those change.
Do you have the possibility of tyring out if this branch solves your issue? https://github.com/AzureAD/microsoft-identity-web/tree/jmprieur/investigate1299
cc: @jennyf19.
Is there any news on this?
In my usecase, the user may decide during the runtime of the app to which tenant he wants to authenticate (he may be guest in multiple tenants and my app is fetching data from whichever tenant the user decides - this, while the "initial" authentication was to his/her home tenant and also data from the fetching operation is stored there). Long story, short, I came up with this:
services.AddAuthentication()
.AddMicrosoftIdentityWebApp(options =>
{
Configuration.Bind("AzureADapp", options);
options.Events.OnRedirectToIdentityProvider = (context) =>
{
var tenantId = context.HttpContext.RequestServices.GetService(ITenantService).GetTenant().Id;
// Updating the IssuerUrl to the tenant Endpoint instead of common makes sure the user is authenticated to the desired tenant instead of the users home tenant.
var updatedIssuerUrl = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize";
context.ProtocolMessage.IssuerAddress = updatedIssuerUrl;
return Task.FromResult(0);
};
}
While in the appsettings.json, seciton "AzureADapp" all details of the used App are stored, the https://login.microsoftonline.com/common endpoint is configured there. By overwriting this, I'm able to specify the tenant to which the user is authenticated.
Having this middleware subscribe to the reload token similar to how kestrel does would be a very helpful change.
We are using Microsoft.Identity.Web for a web app which calls Microsoft Graph API where MicrosoftIdentityOptions are configured in startup from configuration. When secrets expire or regular key rotation we update the secret. How do we update the configuration without application restart?