CODEWITHSUNDEEP
adalazure-keyvault
bwmartens
bwmartens

Reputation: 350

Access KeyVault with Subject Name + Issuer Auth

I'm switching my AAD app over to Subject Name + Issuer auth and I believe I've done that correctly because I can get a token with my test app, but I don't understand how I can use SN+I to connect to KeyVault. The constructor for Azure.Security.KeyVault.Secrets.SecretClient takes a TokenCredential but none of the derived classes seem obviously related to SN+I auth. I'm not sure how to proceed with this scenario. Any tips would be appreciated!

Upvotes: 1

Views: 3105

Answers (2)

Craig Boucher
Craig Boucher

Reputation: 33

You probably want a ClientCertificateCredential constructed with ClientCertificateCredentialOptions.SendCertificateChain = true. It will include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the ClientCertificateCredential.

Upvotes: 1

bwmartens
bwmartens

Reputation: 350

I've gotten this scenario to work by creating my own "SniTokenCredential" class that inherits from TokenCredential. It retrieves a token like this:

IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(_applicationId)
    .WithAuthority($"https://login.microsoftonline.com/{_tenantId}")
    .WithCertificate(_certificate)
    .Build();
AuthenticationResult authResult = await app.AcquireTokenForClient(requestContext.Scopes)
    .WithSendX5C(true)
    .ExecuteAsync(cancellationToken);

Then I can return an AccessToken like this:

return new AccessToken(authResult.AccessToken, authResult.ExpiresOn);

Upvotes: 3

Related Questions