我正在使用 Azure AD 身份验证开发一个网站。用户使用其 Azure AD 凭据登录。当用户调用网站操作时,Web 前端 (
Angular
) 调用 Web API 端点 (.Net 6
),将 Azure 访问令牌传递给 Web API。然后,端点调用 Azure Key Vault 以检索机密,然后执行其他工作。
目前,我可以通过使用 ClientSecretCredential 让 Web API 使用 Azure 服务主体检索 Key Vault Secret
var credential = new ClientSecretCredential(TenantId, ClientId, ClientSecret);
var client = new SecretClient(new Uri(VaultName), credential);
var success = await client.SetSecretAsync(secretName, value);
代码运行良好,但我想使用登录用户的凭据而不是服务主体帐户来检索保管库机密。 Web API 仅接收访问令牌,因此,我尝试从访问令牌构造一个
Azure.Core.TokenCredential
对象,但无济于事。文档中从 Azure.Core.TokenCredential
派生的类都没有可以执行此操作的构造函数。
Web 前端和 Web API 都托管在 Azure 外部。谁能告诉我如何实现我的目标?
Azure.Identity.AuthorizationCodeCredential
Azure.Identity.AzureCliCredential
Azure.Identity.AzureDeveloperCliCredential
Azure.Identity.AzurePowerShellCredential
Azure.Identity.ChainedTokenCredential
Azure.Identity.ClientAssertionCredential
Azure.Identity.ClientCertificateCredential
Azure.Identity.ClientSecretCredential
Azure.Identity.DefaultAzureCredential
Azure.Identity.DeviceCodeCredential
Azure.Identity.EnvironmentCredential
Azure.Identity.InteractiveBrowserCredential
Azure.Identity.ManagedIdentityCredential
Azure.Identity.OnBehalfOfCredential
Azure.Identity.SharedTokenCacheCredential
Azure.Identity.UsernamePasswordCredential
Azure.Identity.VisualStudioCodeCredential
Azure.Identity.VisualStudioCredential
Azure.Identity.WorkloadIdentityCredential
非常感谢。
这是我可以通过以下方法检索密钥保管库机密的方法
方法1:使用Azure.Identity.DefaultAzureCredential
已配置appsetting.json
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "microsoft.onmicrosoft.com",
"TenantId": "*********-*********-****-***********",
"ClientId": "*******-*******-*****-**********,
"CallbackPath": "/signin-oidc",
"ClientSecret": "********-******-*****-******",
"Scopes": "User.Read",
"ClientCertificates": []
},
"KeyVault": {
"VaultUri": "https://YourKeyvault.vault.azure.net/"
},
`控制器.cs
[HttpGet]
[Route("generate")]
public ActionResult<string> GenerateToken(string secretName)
{
string keyVaultUri = _configuration["KeyVault:VaultUri"];
var client = new SecretClient(new Uri(keyVaultUri), new DefaultAzureCredential());
try
{
KeyVaultSecret secret = client.GetSecret(secretName);
return Ok(secret.Value);
}
catch (RequestFailedException ex)
{
return BadRequest(ex.Message);
}
}
结果
在Vault中存储秘密名称
方法2:使用Azure.Identity.OnBehalfOfCredential
感谢@Stephen Cleary 的评论
根据 Azure.Identity,OnBehalfOfCredential 期望
clientSecret
也作为要传递的参数
控制器.cs
[HttpGet("{secretName}")]
public IActionResult GetSecret(string secretName)
{
try
{
var keyVaultUri = new Uri(_configuration["KeyVault:VaultUri"]);
var userAccessToken = HttpContext.GetTokenAsync("access_token").Result;
// Create an OnBehalfOfCredential
var onBehalfOfCredential = new OnBehalfOfCredential("tenantId", "clientId", "clientsecret",
userAccessToken);
var client = new SecretClient(keyVaultUri, onBehalfOfCredential);
var secret = client.GetSecret(secretName);
return Ok(secret.Value.Value);
}
catch (Exception ex)
{
return BadRequest($"Error: {ex.Message}");
}
}
结果