azure - 从应用程序设置 .net 6 应用程序访问客户端 key (Azure AD 身份验证)

Question

我有一个 .net 6 应用程序，使用 azure ad 进行身份验证。详情如下:

appsettings.json

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "",
    "ClientId": "",
    "TenantId": "",
    "CallbackPath": "/signin-oidc",
    "SignedOutCallbackPath ": "/signout-oidc"
    "ClientSecret": "@Microsoft.KeyVault(SecretUri=https://mykv.vault.azure.net/secrets/myclientsecret/)"

程序.cs

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                            .AddMicrosoftIdentityWebApp(Configuration)
                            .EnableTokenAcquisitionToCallDownstreamApi()
                            .AddInMemoryTokenCaches()
                            .AddDownstreamApi("MyService", Configuration.GetSection("MyService")); //MyService is also present in appsetting with baseurl and scopes

该应用程序部署在应用程序服务中，并具有以下应用程序设置: 名称:AzureAd__ClientSecret 值:@Microsoft.KeyVault(SecretUri=https://mykv.vault.azure.net/secrets/myclientsecret/)

我希望从 keyvault 读取 ClientSecret 值，并从 appsettings json 读取其余值。我怎样才能做到这一点？如果我在应用程序设置中对客户端 key 进行硬编码，它就可以工作。我很难理解为什么这不允许登录？

还添加了 RedirectURI。

应用服务配置快照

Answer 1

即使没有客户端 key ，我也能够进行身份验证和登录。

I expect the ClientSecret value read from keyvault and the rest to be read from the appsettings json.

我已在 appsettings.json 文件中设置了 key ClientSecret，但没有任何值。

我的appsettings.json:

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "*****.onmicrosoft.com",
    "TenantId": "**********",
    "ClientId": "**********",
    "CallbackPath": "/signin-oidc",
    "ClientSecret": ""
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  "KeyVault": {
    "URI": "https://HarshuKV8June.vault.azure.net/"
  }
}

我的.csproj文件:

<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
    <Nullable>enable</Nullable>
    <ImplicitUsings>enable</ImplicitUsings>
    <UserSecretsId>aspnet-WebApplication2-f96bb6f0-eef0-4193-a9b3-6a006134f076</UserSecretsId>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="6.0.16" NoWarn="NU1605" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="6.0.16" NoWarn="NU1605" />
    <PackageReference Include="Microsoft.Identity.Web" Version="2.7.0" />
    <PackageReference Include="Microsoft.Identity.Web.UI" Version="2.7.0" />
  </ItemGroup>
</Project>

使用以下代码从 Azure Key Vault 检索客户端 key 。

使用以下任意一行代码从 KeyVault 检索 secret 值。

var ClientSecret = secretClient.GetSecret("ClientSecret").Value.Value;

或

var secretValue = await secretClient.GetSecretAsync("ClientSecret");

我的 Program.cs 文件:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.Extensions.Configuration;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;
using System.ComponentModel;

var builder = WebApplication.CreateBuilder(args);


var KV = builder.Configuration["KeyVault:URI"];
var cred = new DefaultAzureCredential();
var secretClient = new SecretClient(new Uri(KV), cred);

var ClientSecret = secretClient.GetSecret("ClientSecret").Value.Value;
var secretValue = await secretClient.GetSecretAsync("ClientSecret");

//Setting the ClientSecret to the key in `appsettings.json` file
builder.Configuration["AzureAD:ClientSecret"] = ClientSecret;

//Retrieving the value from `appsettings.json` file
var setClientSecret = builder.Configuration.GetValue<string>("AzureAD:ClientSecret");

// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));

builder.Services.AddAuthorization(options =>
{   
    options.FallbackPolicy = options.DefaultPolicy;
});
builder.Services.AddRazorPages()
    .AddMicrosoftIdentityUI();

var app = builder.Build();

if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");  
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.MapRazorPages();
app.MapControllers();
app.Run();

来自 KeyVault 的 ClientSecret 值:

在 AAD 中重定向 URI:

输出:

本地主机:

部署的应用程序: