哪些是使用非邮轮应用程序证书来验证对Azure密钥库进行身份验证访问的最新/最新方法

发布于 2025-01-30 05:20:39 字数 2549 浏览 3 评论 0原文

我想使用Azure键值通过Azure AD来从客户端应用程序（Azure之外）中检索Azure密钥保险库的秘密。我的初始开发是通过DotNet控制台应用程序完成的，最终，我想在Azure（本地服务器）外的IIS服务器上托管的WCF Web服务中使用类似的逻辑。我在云方面设置了所有设置：Azure密钥保险库设置，客户端应用程序注册以及Azure密钥库中的证书，用于客户端应用程序身份验证。我还将在本地计算机当前用户证书存储和Windows服务服务器上安装相同的证书，托管我的WCF Web服务。这样我就可以使用其拇指纹值从证书中检索证书：

var certCollection = certStore.certificates.find（x509findtype.findbythumbprint，citialateThumbprint，balloallawalvalidcerts）;

我尝试了几种方法来访问Azure钥匙保险库的秘密，但是什么都没有达到我最初设置的期望。我想知道什么是在不损害响应时间的情况下实现我想要的最新方法，并且使用弃用的API

使用AzureKeykeyKeykeyvaultConfigurationProvider来检索秘密

问题： 1.1）为此，我必须使用一些弃用的软件包。 1.2）此外，从Azure密钥库中检索秘密并填充AzureKeykeyKeykevaultConfiguration的性能（响应时间）不是理想的...

代码示例：

 // create IConfigurationRoot to read Azure key vault
            IConfigurationRoot config = new ConfigurationBuilder()
                                                      .AddAzureKeyVault(
                                                         keyVaultUrl,
                                                         CLIENT_ID,
                                                         KeyVaultUtility.AssertionCert2,
                                                         new DefaultKeyVaultSecretManager())
                                                      .Build();

使用AzureKeykeyVault软件包来创建keyVault实用程序。然后使用getsecretanync方法：问题：1）弃用Azure密钥保险库软件包 2）当我将此逻辑与WCF服务一起使用并在本地测试时，我会遇到以下错误：找不到方法：'void microsoft.azure.keyvault.keyvaultclient..ctor（AuthenticationCallback，System.net.http.delegatinghandler []）'。

代码示例：

 var client = KeyVaultUtility.GetClient();
 var secret = Task.Run(async () => await client.GetSecretAsync(keyVaultUrl, "Jon--Test")).Result.Value;

keyVaultutility逻辑：

 public  static KeyVaultClient GetClient()
        {
            if (AssertionCert == null)
            {
                throw new Exception("Call Initialise before calling GetClient.");
            }

            return new KeyVaultClient(new KeyVaultClient.AuthenticationCallback((a, r, s) => GetAccessToken(a, r, s, AssertionCert)));
        }

        private static async Task<string> GetAccessToken(string authority, string resource, string scope, ClientAssertionCertificate cert)
        {
            var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
            var result = await context.AcquireTokenAsync(resource, cert).ConfigureAwait(false);
            return result.AccessToken;
        }

原文

I would like to retrieve Azure Key Vault secrets from a client application(outside of Azure) using certificate authentication for Azure Key Vault through Azure AD. My initial development is done through a dotnet console application, and eventually, I would like to use similar logic within a WCF web service hosted on an IIS server outside Azure (an on-premise server). I have everything set up on cloud side: Azure Key Vault set up, client application registration, and a certificate within Azure Key Vault for client Application authentication. I also install the same certificate in my local machine current user certificate store and the certificate on the windows service server hosting my WCF web service. So that I can retrieve the certificate from the certificate by using its thumbprint value:

var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, certificateThumbprint, onlyAllowValidCerts);

I tried a couple of approaches to access Azure Key Vault secrets, but nothing has met the expectations I set up initially. I would like to know what is the best/latest approach to achieve what I want without compromising response time and using deprecated APIs

Use AzureKeyVaultConfigurationProvider to retrieve secrets

Issues:
1.1)I have to use a few deprecated packages for this purpose.
1.2)Also, the performance (response time) to retrieve the secrets from Azure Key Vault and populate the AzureKeyVaultConfiguration is not ideal...

Code Example:

 // create IConfigurationRoot to read Azure key vault
            IConfigurationRoot config = new ConfigurationBuilder()
                                                      .AddAzureKeyVault(
                                                         keyVaultUrl,
                                                         CLIENT_ID,
                                                         KeyVaultUtility.AssertionCert2,
                                                         new DefaultKeyVaultSecretManager())
                                                      .Build();

Use AzureKeyVault package to create a KeyVault Utility. Then use GetSecretAsync method:
Issues: 1)Azure Key Vault package is deprecated
2)When I use this logic with WCF service, and test locally, I run into following error:
Method not found: 'Void Microsoft.Azure.KeyVault.KeyVaultClient..ctor(AuthenticationCallback, System.Net.Http.DelegatingHandler[])'.

Code Example:

 var client = KeyVaultUtility.GetClient();
 var secret = Task.Run(async () => await client.GetSecretAsync(keyVaultUrl, "Jon--Test")).Result.Value;

KeyVaultUtility logic:

 public  static KeyVaultClient GetClient()
        {
            if (AssertionCert == null)
            {
                throw new Exception("Call Initialise before calling GetClient.");
            }

            return new KeyVaultClient(new KeyVaultClient.AuthenticationCallback((a, r, s) => GetAccessToken(a, r, s, AssertionCert)));
        }

        private static async Task<string> GetAccessToken(string authority, string resource, string scope, ClientAssertionCertificate cert)
        {
            var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
            var result = await context.AcquireTokenAsync(resource, cert).ConfigureAwait(false);
            return result.AccessToken;
        }

分享到QQ

分享到微博