search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.29k stars 21.47k forks source link

Tutorial encourages exposing keys that are supposedly sensitive data #120483

Open jennings opened 8 months ago

jennings commented 8 months ago

The tutorial Search nearby points of interest using Azure Maps encourages the reader to make the Azure Maps authentication key public, but this is discouraged by the reference documentation. It's not clear whether keys are meant to be exposed in a client-side application or not.

The tutorial says:

Add the following JavaScript code to the GetMap function of the HTML file. Replace the string <Your Azure Maps Subscription Key> with the subscription key that you copied from your Azure Maps account.

The linked tutorial page for retrieving subscription keys says:

  1. Open your Maps account in the portal.
  2. In the settings section, select Authentication.
  3. Copy the Primary Key and save it locally to use later in this tutorial.

But, the Authentication with Azure Maps page explicitly says:

Primary and Secondary keys should be treated as sensitive data. The shared key is used to authenticate all Azure Maps REST API. Users who use a shared key should abstract the API key away, either through environment variables or secure secret storage, where it can be managed centrally.

So, the tutorial is guiding new developers to make their primary key public, something discouraged by the reference documentation.

Is the tutorial correct (keys are okay to expose publicly) or is the reference documentation correct?

If keys are sensitive, then the tutorial should either be changed or have a clear, unmistakable warning about not exposing the keys in a real application.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

SaibabaBalapur-MSFT commented 8 months ago

@jennings Thanks for your feedback! We will investigate and update as appropriate.