How to read XML appSettings from external file?

Question

There are a lot of similar questions and I have looked at every one I could find, to no avail.

I'm storing API keys for Google+ authentication in a .config file outside of my solution (in the same level as the solution folder).

I'm attempting to read the values back in Startup.Auth.cs, like so:

public void ConfigureAuth(IAppBuilder app)
{
    app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
    {
        ClientId = WebConfigurationManager.AppSettings.Get("GoogleClientId"),
        ClientSecret = WebConfigurationManager.AppSettings.Get("GoogleClientSecret")
    });
}

Root Web.config:

<appSettings file="..\Secrets.config"> <!-- Path is correct, relative to Web.config -->
  <add key="webpages:Version" value="3.0.0.0" />
  <add key="webpages:Enabled" value="false" />
  <add key="ClientValidationEnabled" value="true" />
  <add key="UnobtrusiveJavaScriptEnabled" value="true" />
</appSettings>

Secrets.config:

<configuration>
  <appSettings>
    <add key="GoogleClientId" value="shh" />
    <add key="GoogleClientSecret" value="shh" />
  </appSettings>
</configuration>

Answer 1

Did you try to verify that the secrets.config is copied after the build?

Verify that by right clicking on the file and viewing the properties that the build action of the file is set to copy always.

Answer 2

Remove the <configuration>...</configuration> tag from Secrets.config

Secrets.config:

<appSettings>
  <add key="GoogleClientId" value="shh" />
  <add key="GoogleClientSecret" value="shh" />
</appSettings>

Basically you make the appSettingssection the root of the external Secrets.config file.

The same can be done for connection strings using the configSource attribute except that...

Security - Unlike the Secrets.config file, the external connection strings file must be in the same directory as the root web.config file, so you'll have to take precautions to ensure you don't check it into your source repository.

Also try using the ConfigurationManager

app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
{
    ClientId = ConfigurationManager.AppSettings["GoogleClientId"],
    ClientSecret = ConfigurationManager.AppSettings["GoogleClientSecret"]
});

Referencing articles where I learned about it

Scott Hanselman

Best practices for private config data and connection strings in configuration in ASP.NET and Azure

Official MS documentation

Best practices for deploying passwords and other sensitive data to ASP.NET and Azure App Service

Answer 3

in a .config file outside of my solution (in the same level as the solution folder).

An IIS application is totally unaware of any folders outside of its virtual application folder. There is no "at the same level as a solution file" in the context of a web application because the solution file is not deployed with it.

If you want to put appSettings outside of your application folder, your only built-in choices are the root web.config file, or machine.config file, which are both global to the machine (but specific to the .NET framework version you are running on). See ASP.NET Configuration File Hierarchy and Inheritance.

But just for the record, it is easiest to manage in the long run if you keep application settings in your application's web.config file. Eventually, you will need to change to/add a new web server and you might be scratching your head for a while trying to work out why the settings no longer work when that time comes if they need to be placed outside of your virtual application folder.