search

OfficeDev / TeamsFx

Developer tools for building Teams apps
Other
427 stars 165 forks source link

Obtain Client Secret From Key Vault #3330

Open grumpykiwi opened 2 years ago

grumpykiwi commented 2 years ago

Describe the bug I would like to be able to obtain the client secret and a few other things from Azure Key Vault. In .Net 5.0 I would set that up in program.cs. When I create a new app based off the toolkit, the client secret is written into the secrets.json file and named CLIENT_SECRET. This naming violates the rules for secret naming in the key vault. I have been unable to find any other reference to the client secret in code, but it appears to be used somewhere as its absense or being renamed to ClientSecret will throw an error about missing secret.

To Reproduce Steps to reproduce the behavior:

  1. Create new Teams Tab app
  2. Go to user secrets file
  3. Rename CLIENT_SECRET to ClientSecret
  4. Run the app
  5. See error below

Failed to get access token from authentication server: Value cannot be null. (Parameter 'clientSecret') ErrorWithCode.ServiceError: Failed to get access token from authentication server: Value cannot be null. (Parameter 'clientSecret') at He.generateAuthServerError (https://localhost:44357/_content/Microsoft.TeamsFx/teamsfx.js:15:81966) at He. (https://localhost:44357/_content/Microsoft.TeamsFx/teamsfx.js:15:79221) at Generator.throw () at s (https://localhost:44357/_content/Microsoft.TeamsFx/teamsfx.js:15:216)

Expected behavior This is what I expected. The name of the client secret appears to be hard coded into teamsfx.js. I would like to name it according to Azure Key Vault rules so I can use key vault in a production setting

VS Code Extension Information (please complete the following information):

Additional context I would like to be able to minimize the data in appsettings.json to only the values required to grab everything else from key vault. This will keep secret values out of GIT and configuration files in production.

Thanks

ghost commented 2 years ago

Thank you for contacting us! Any issue or feedback from you is quite important to us. We will do our best to fully respond to your issue as soon as possible. Sometimes additional investigations may be needed, we will usually get back to you within 2 days by adding comments to this issue. Please stay tuned.

JerryYangKai commented 2 years ago

@grumpykiwi This CLIENT_SECRET naming is hard code in SimpleAuth nuget package, you could find it in dependency. Also you could find the entrance in startup.cs services.AddTeamsFxSimpleAuth(Configuration); It input is the configuration.

JerryYangKai commented 2 years ago

Add @blackchoey for more info. For future we will change the configuration naming, but for now, do we have some solutions to help our user to fix it?

blackchoey commented 2 years ago

Hi @grumpykiwi Since Key Vault has limitations on the secret name, the key vault provider provides a way to let you map the secret name to configuration name: https://docs.microsoft.com/en-us/dotnet/api/microsoft.extensions.configuration.azurekeyvault.ikeyvaultsecretmanager?view=dotnet-plat-ext-3.1 Can you try this way to map secret name to correct configuration name?

grumpykiwi commented 2 years ago

Thanks I’ll take a look at th

Mark Nash Senior Software Engineer [cid:PC_42x23_fbb4e57e-65d2-4c41-b09e-ffa9f4a3c468.png]

PartnerComm, Inc. Winner of 76 IABC Gold Quills 2021 Large Agency of the Year 2304 W Interstate 20, Suite 250 Arlington, TX 76017 [cid:pcomm25+_471933a4-f842-490b-84d4-910cf0397a29.png]

Office: (817) 465-9277 @.*** www.partnercomm.nethttp://www.partnercomm.net

This e-mail transmission may contain confidential information or may be otherwise legally privileged. If you are not the intended recipient you are hereby notified that any use, disclosure, copying, forwarding, or distribution of any of the information contained in or attached to this message is STRICTLY PROHIBITED.

From: Chaoyi Yuan @.***> Sent: Wednesday, December 15, 2021 12:50 AM To: OfficeDev/TeamsFx Cc: Mark Nash; Mention Subject: Re: [OfficeDev/TeamsFx] Obtain Client Secret From Key Vault (Issue #3330)

[EXTERNAL SENDER]

Hi @grumpykiwihttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgrumpykiwi&data=04%7C01%7Cmnash%40partnercomm.net%7Cb80717cd238544bbdc0e08d9bf9721ce%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751478114978486%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=brzjn9coRoYGQ%2FiRz8Eq%2F5FPMEheu%2F7Nvhs6bnlWloQ%3D&reserved=0 Since Key Vault has limitations on the secret name, the key vault provider provides a way to let you map the secret name to configuration name: https://docs.microsoft.com/en-us/dotnet/api/microsoft.extensions.configuration.azurekeyvault.ikeyvaultsecretmanager?view=dotnet-plat-ext-3.1https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fapi%2Fmicrosoft.extensions.configuration.azurekeyvault.ikeyvaultsecretmanager%3Fview%3Ddotnet-plat-ext-3.1&data=04%7C01%7Cmnash%40partnercomm.net%7Cb80717cd238544bbdc0e08d9bf9721ce%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751478114978486%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=NtHDBIxFwZKD1gGDMHofUn2lBs5BDIdw0WrSWOEQ8Uw%3D&reserved=0 Can you try this way to map secret name to correct configuration name?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOfficeDev%2FTeamsFx%2Fissues%2F3330%23issuecomment-994381941&data=04%7C01%7Cmnash%40partnercomm.net%7Cb80717cd238544bbdc0e08d9bf9721ce%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751478114978486%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=LY7rrO7vY47aNwnQW8hbi%2B3AQ3FdKJYv1WDOVwDEkg8%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAKOLVX3H3JEGVFFL7JY5YA3URA3B7ANCNFSM5J3HOW2Q&data=04%7C01%7Cmnash%40partnercomm.net%7Cb80717cd238544bbdc0e08d9bf9721ce%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751478114978486%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=CXAb258FXBvoLSYwrYC7teEDq5vd3vkLHZkW0OQLB5M%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7Cmnash%40partnercomm.net%7Cb80717cd238544bbdc0e08d9bf9721ce%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751478114978486%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=485H1Q9Sc%2BvFWkpzqyfdx70g2q0Lvknt8fbu96uKwjs%3D&reserved=0 or Androidhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7Cmnash%40partnercomm.net%7Cb80717cd238544bbdc0e08d9bf9721ce%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751478114978486%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hFKwLXaCKH0dtllH3AUkbjF4RLfif2ct0Ieb6JlXMWw%3D&reserved=0.

grumpykiwi commented 2 years ago

Thanks Jerry. Will take a look at this first thing in the morning

Mark Nash Senior Software Engineer [cid:PC_42x23_fbb4e57e-65d2-4c41-b09e-ffa9f4a3c468.png]

PartnerComm, Inc. Winner of 76 IABC Gold Quills 2021 Large Agency of the Year 2304 W Interstate 20, Suite 250 Arlington, TX 76017 [cid:pcomm25+_471933a4-f842-490b-84d4-910cf0397a29.png]

Office: (817) 465-9277 @.*** www.partnercomm.nethttp://www.partnercomm.net

This e-mail transmission may contain confidential information or may be otherwise legally privileged. If you are not the intended recipient you are hereby notified that any use, disclosure, copying, forwarding, or distribution of any of the information contained in or attached to this message is STRICTLY PROHIBITED.

From: JerryYang @.> Sent: Tuesday, December 14, 2021 11:07:06 PM To: OfficeDev/TeamsFx @.> Cc: Mark Nash @.>; Mention @.> Subject: Re: [OfficeDev/TeamsFx] Obtain Client Secret From Key Vault (Issue #3330)

[EXTERNAL SENDER]

@grumpykiwihttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgrumpykiwi&data=04%7C01%7Cmnash%40partnercomm.net%7Cffeb46dfff1f4b0dfbd008d9bf88bd84%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751416300389810%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kNRS9vMA82A63ETiqzQvfd96VCjJDrAD2Kft5iRexxc%3D&reserved=0 This CLIENT_SECRET naming is hard code in SimpleAuth nuget package, you could find it in dependency. Also you could find the entrance in startup.cs services.AddTeamsFxSimpleAuth(Configuration); It input is the configuration.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOfficeDev%2FTeamsFx%2Fissues%2F3330%23issuecomment-994296580&data=04%7C01%7Cmnash%40partnercomm.net%7Cffeb46dfff1f4b0dfbd008d9bf88bd84%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751416300389810%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=VjgwzRFJJ%2FTgpF8zPW8qVJF3%2BkPPSHvfEUywdKtyThY%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAKOLVX6Y5KZFRX27D42WJSTURAO7VANCNFSM5J3HOW2Q&data=04%7C01%7Cmnash%40partnercomm.net%7Cffeb46dfff1f4b0dfbd008d9bf88bd84%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751416300389810%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ctiMXKren8Kjnszy3IczurplfptrJ%2BlBKNlK6oG3Uv4%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7Cmnash%40partnercomm.net%7Cffeb46dfff1f4b0dfbd008d9bf88bd84%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751416300389810%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=s8v16mo0UA0wSk6d4Y5%2F5WTnVRC1y6%2F6qidOxbXjrAs%3D&reserved=0 or Androidhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7Cmnash%40partnercomm.net%7Cffeb46dfff1f4b0dfbd008d9bf88bd84%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751416300389810%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DZmYfX%2FFQqNwt2j6NSvPjM6WvzbKxXJ8rrWQnyoDN68%3D&reserved=0.

grumpykiwi commented 2 years ago

Hi

I followed the instructions (I think) but can't get it to compile. I created a standalone blazor app to test with to avoid going thru the chore of testing within teams

Program.cs

using Azure.Identity; using Microsoft.AspNetCore.Hosting; using Microsoft.Azure.KeyVault; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.Hosting; using System; using System.Linq; using System.Security.Cryptography.X509Certificates;

namespace BlazorKeyVaultTest { public class Program { public static void Main( string[] args ) { CreateHostBuilder(args).Build().Run(); }

       public static IHostBuilder CreateHostBuilder( string[] args ) =>
            Host.CreateDefaultBuilder(args)
                 .ConfigureAppConfiguration(( context, config ) =>
                 {
                       var builtConfig = config.Build();
                       var certThumbprint = builtConfig.GetValue<string>("CertThumbprint");
                       var store = new X509Store(StoreLocation.LocalMachine);
                       store.Open(OpenFlags.ReadOnly);
                       var certs = store.Certificates.Find(X509FindType.FindByThumbprint, certThumbprint, false);
                       var tenantId = builtConfig.GetValue<string>("TenantId");
                       var clientId = builtConfig.GetValue<string>("ClientId");
                       var vaultName = builtConfig.GetValue<string>("KeyVaultName");
                       config.AddAzureKeyVault(
                            new Uri($"https://{vaultName}.vault.azure.net/"),
                            new ClientCertificateCredential(tenantId, clientId, certs.OfType<X509Certificate2>().Single()),
                            new PrefixKeyVaultSecretManager(builtConfig["WEBAPP_NAME"]));

                       store.Close();

                 })
                 .ConfigureWebHostDefaults(webBuilder =>
                 {
                       webBuilder.UseStartup<Startup>();
                 });
 }

}

PrefixKeyVaultSecretManager.cs

using Microsoft.Azure.KeyVault.Models; using Microsoft.Extensions.Configuration.AzureKeyVault;

public class PrefixKeyVaultSecretManager : IKeyVaultSecretManager { private readonly string _prefix;

 public PrefixKeyVaultSecretManager( string prefix )
 {
       _prefix = $"{prefix}-";
 }

 public bool Load( SecretItem secret )
 {
       //              var mySecret = secret;
       return true;
 }

 public string GetKey( SecretBundle secret )
 {
       return secret.SecretIdentifier.Name.Replace("-", "");
       //              return $"KeyVaultObjects:{secret.SecretIdentifier.Name}";
 }

}

Index.razor

@page "/" @using Microsoft.Extensions.Configuration @using System.Linq @inject IConfiguration Configuration

@.***

@code { public string str = ""; const string SectionDelimiter = "_";

 protected override void OnInitialized()
 {
       base.OnInitialized();

       IConfigurationRoot root = (IConfigurationRoot) Configuration;
       foreach (var provider in root.Providers.ToList())
       {
            if (provider.ToString().Contains("AzureKeyVaultConfigurationProvider"))
            {
                 var keyValues = provider.GetChildKeys(Enumerable.Empty<string>(), null);
                 foreach(var key in keyValues)
                 {
                       provider.TryGet(key, out var value);

                       str += $"Key: {key} - Value: {value}\r\n";
                 }
            }
       }
 }

}

In the Azure Key Vault I defined a secret named Client-Secret

The text in green above causes a compiler error.

Error CS1503 Argument 4: cannot convert from 'PrefixKeyVaultSecretManager' to 'Azure.Extensions.AspNetCore.Configuration.Secrets.KeyVaultSecretManager'

I am probably missing something obvious, but after fiddling with it for several hours, I am at a loss.

The PrefixKeyVaultSecretManager should return a config keyname of ClientSecret, which is what the Blazor app is expecting. ClientSecret was removed from the appsettings.json for this test scenario.

If I change IKeyVaultSecretManager to KeyVaultSecretManager in the PrefixKeyVaultSecretManager class, it will compile, but the class never seems to get called. I print out the values on my index.razor page and the key name from Key Vault is unchanged.

Ideas?

Mark Nash Senior Software Engineer [cid:PC_42x23_fbb4e57e-65d2-4c41-b09e-ffa9f4a3c468.png]

PartnerComm, Inc. Winner of 76 IABC Gold Quills 2021 Large Agency of the Year 2304 W Interstate 20, Suite 250 Arlington, TX 76017 [cid:pcomm25+_471933a4-f842-490b-84d4-910cf0397a29.png]

Office: (817) 465-9277 @.*** www.partnercomm.nethttp://www.partnercomm.net

This e-mail transmission may contain confidential information or may be otherwise legally privileged. If you are not the intended recipient you are hereby notified that any use, disclosure, copying, forwarding, or distribution of any of the information contained in or attached to this message is STRICTLY PROHIBITED.

From: Chaoyi Yuan @.> Sent: Wednesday, December 15, 2021 12:50 AM To: OfficeDev/TeamsFx @.> Cc: Mark Nash @.>; Mention @.> Subject: Re: [OfficeDev/TeamsFx] Obtain Client Secret From Key Vault (Issue #3330)

[EXTERNAL SENDER]

Hi @grumpykiwihttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgrumpykiwi&data=04%7C01%7Cmnash%40partnercomm.net%7Cb80717cd238544bbdc0e08d9bf9721ce%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751478114978486%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=brzjn9coRoYGQ%2FiRz8Eq%2F5FPMEheu%2F7Nvhs6bnlWloQ%3D&reserved=0 Since Key Vault has limitations on the secret name, the key vault provider provides a way to let you map the secret name to configuration name: https://docs.microsoft.com/en-us/dotnet/api/microsoft.extensions.configuration.azurekeyvault.ikeyvaultsecretmanager?view=dotnet-plat-ext-3.1https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fapi%2Fmicrosoft.extensions.configuration.azurekeyvault.ikeyvaultsecretmanager%3Fview%3Ddotnet-plat-ext-3.1&data=04%7C01%7Cmnash%40partnercomm.net%7Cb80717cd238544bbdc0e08d9bf9721ce%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751478114978486%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=NtHDBIxFwZKD1gGDMHofUn2lBs5BDIdw0WrSWOEQ8Uw%3D&reserved=0 Can you try this way to map secret name to correct configuration name?

- You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOfficeDev%2FTeamsFx%2Fissues%2F3330%23issuecomment-994381941&data=04%7C01%7Cmnash%40partnercomm.net%7Cb80717cd238544bbdc0e08d9bf9721ce%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751478114978486%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=LY7rrO7vY47aNwnQW8hbi%2B3AQ3FdKJYv1WDOVwDEkg8%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAKOLVX3H3JEGVFFL7JY5YA3URA3B7ANCNFSM5J3HOW2Q&data=04%7C01%7Cmnash%40partnercomm.net%7Cb80717cd238544bbdc0e08d9bf9721ce%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751478114978486%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=CXAb258FXBvoLSYwrYC7teEDq5vd3vkLHZkW0OQLB5M%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7Cmnash%40partnercomm.net%7Cb80717cd238544bbdc0e08d9bf9721ce%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751478114978486%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=485H1Q9Sc%2BvFWkpzqyfdx70g2q0Lvknt8fbu96uKwjs%3D&reserved=0 or Androidhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7Cmnash%40partnercomm.net%7Cb80717cd238544bbdc0e08d9bf9721ce%7Cf2b31dc21677463d8cf12150d7ff1100%7C0%7C0%7C637751478114978486%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hFKwLXaCKH0dtllH3AUkbjF4RLfif2ct0Ieb6JlXMWw%3D&reserved=0.

blackchoey commented 2 years ago

@grumpykiwi I noticed you're using another nuget package, so it's correct to change IKeyVaultSecretManager to KeyVaultSecretManager. You can findKeyVaultSecretManager is documented in Azure.Extensions.AspNetCore.Configuration.Secrets's API.

For the problem that your PrefixKeyVaultSecretManager seems not being called, we need to have a try in our side and reach back to you later. In the meantime, can you also raise an issue at https://github.com/Azure/azure-sdk-for-net for your secret manager not being called problem? So we can work parallelly to solve your problem.

grumpykiwi commented 2 years ago

If there is a different package I should try, let me know in order to try getting ikeyvaultsecretmanager to compile in the meantime.

From: Chaoyi Yuan @.> Sent: Wednesday, December 15, 2021 10:54:56 PM To: OfficeDev/TeamsFx @.> Cc: Mark Nash @.>; Mention @.> Subject: Re: [OfficeDev/TeamsFx] Obtain Client Secret From Key Vault (Issue #3330)

[EXTERNAL SENDER]

blackchoey commented 2 years ago

@grumpykiwi Please keep using Azure.Extensions.AspNetCore.Configuration.Secrets package and implementing KeyVaultSecretManager class as what you're doing now. I dig a little more and found the package that contains IKeyVaultSecretManager has been deprecated. I will work internally to make sure the document is up-to-date. Let's try to get your customized KeyVaultSecretManager work.

grumpykiwi commented 2 years ago

Ahh. Sounds good. Explains things. Will work on it tomorrow thanks

Mark Nash Senior Software Engineer [cid:PC_42x23_fbb4e57e-65d2-4c41-b09e-ffa9f4a3c468.png]

grumpykiwi commented 2 years ago

I believe I fixed it.

Project file.csproj

` 

<PackageReference Include="Azure.Identity" Version="1.5.0" />
<PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.2.0" />
<PackageReference Include="Microsoft.Extensions.Configuration.AzureKeyVault" Version="3.1.22" />

`

program.cs

            .ConfigureAppConfiguration((context, config) =>
                {
                    var builtConfig = config.Build();
                    var certThumbprint = builtConfig.GetValue<string>("CertThumbprint");
                    var store = new X509Store(StoreLocation.LocalMachine);
                    store.Open(OpenFlags.ReadOnly);
                    var certs = store.Certificates.Find(X509FindType.FindByThumbprint, certThumbprint, false);
                    var tenantId = builtConfig.GetValue<string>("TenantId");
                    var clientId = builtConfig.GetValue<string>("ClientId");
                    var vaultName = builtConfig.GetValue<string>("KeyVaultName");
                    var appName = builtConfig.GetValue<string>("WebAppName");
                    var clientCertificateCredential = new ClientCertificateCredential(tenantId, clientId, certs.OfType<X509Certificate2>().Single());

                    var secretClient = new SecretClient(new Uri($"https://{vaultName}.vault.azure.net/"), clientCertificateCredential);

                    config.AddAzureKeyVault(secretClient, 
                        new PrefixKeyVaultSecretManager(appName));

                    store.Close();

                })

PrefixKeyVaultSecretManager.cs

using Azure.Extensions.AspNetCore.Configuration.Secrets;
using Azure.Security.KeyVault.Secrets;

public class PrefixKeyVaultSecretManager : KeyVaultSecretManager
{
    private readonly string _prefix;

    public PrefixKeyVaultSecretManager (string prefix)
    {
        _prefix = $"{prefix}-";
    }

    public override bool Load (SecretProperties secret)
    {
        return true;
    }

    public override string GetKey (KeyVaultSecret secret)
    {
        return secret.Name.Replace("-", "_");
    }
}

The key is a combo of the right packages and making sure the methods in PrefixKeyVaultSecretManager have the override keyword to make sure they actually get called. After that you can do all the string matching and replacing you need inside the GetKey() method. This will affect app start time apparently, but I haven't noticed any measurable differences.

blackchoey commented 2 years ago

Cool~ Congratulations @grumpykiwi ! Do you have any other questions regarding this issue?

grumpykiwi commented 2 years ago

As long as it is documented and/or the extension modified, I am happy.

Thanks for pointing me in the right direction.

blackchoey commented 2 years ago

Thanks. We already have plan to improve the coding experience, so you don't need to use a customized key vault secret manager to map your secret to another name in the future.