Stephan van Rooij

Software architect with a passion for home automation.

Securing credentials during development

S

Protecting client credentials for (multi-tenant) application should be your highest priority, not only in production also during development.

We developed a small application that helps you do just that. Use your Visual Studio credentials to sign a token request while the certificate stays in the KeyVault. You could even only authorize developers to use the certificates in a KeyVault when they need it and de-authorize then when it’s no longer needed.

Nuget GitHub License GitHub issues GitHub Sponsors

Client credentials

So you’re developing an application that talks to Microsoft Graph or your custom api. You’re probably using postman or Insomnia to test the api.

Postman and Insomnia are great, but they doesn’t support using certificates as client credentials. So you’ll always need to create a client secret in the app registration. That secret is probably configured on the local machines of all the developers. Not really secure. Especially not if that application registration is also used in production. If all your developers already sign-in to Visual studio, the probably have credentials configured that might just work to access a resource in azure.

Introducing KeyVault token proxy

We build a small open-source dotnet tool that uses the credentials already available to the developer to securely connect to a KeyVault and get a token with certificate in KeyVault.

  1. Install token proxy dotnet tool install --global Smartersoft.Identity.Client.Assertion.Proxy
  2. Start proxy from command line az-kv-proxy
  3. Browse the swagger documentation at http://localhost:{port}/swagger/index.html

KeyVault proxy endpoints

See documentation

Request an access token

Once you have this proxy running you have several ways to get a token for some application. To use this proxy it requires you to create a certificate in the KeyVault and adding that to an application registration.

Gather the required data:

Parameter Sample Description
clientId 996ba276-df43-40af-8ffd-d1564b1c88a8 The ID of the application you’re trying to use
tenantId d198b314-13c1-4ad1-8526-92355369ec6c The ID of the tenant you want a certificate for
scopes https://graph.microsoft.com/.default The scope where you want to get a token for

Depending on which method you’re using you’ll need some extra information.

Pick the endpoint that you like best, and use it in the description for Insomnia or Postman

Use KeyVault token proxy with Insomnia

I personally use Insomnia as a rest api test tool, it suits my needs and seems to work quite intuitively. To use the KeyVault token proxy in Insomnia just follow along.

  1. Create a new POST request to your token endpoint /api/token/kv-certificate in this case.
  2. Set the required JSON body, I’m using variables here, but you can also configure it statically.
  3. Try the request with the Send button
  4. Create a new request to the api, where you want to use the token.
  5. Set the authentication to Bearer
  6. In the token field, press CTRL + SPACE and select Response => Body attribute
  7. Double click the now red configuration.
  8. Select the token request, set Filter: $.accessToken, Trigger behavior: When expired and max age: 3500. It should now show a token in the Live Preview window.

Everytime you try to execute this request it will automatically get a token (if it was expired) as long as the proxy is running.

Token request in Insomnia

Body request settings in Insomnia

Use KeyVault token proxy with Postman

You can also use this proxy with postman. Someone else already made a great post on how that should work, see this postman blog.

Like it?

If you really like this proxy or if you have a very good reason why this is a bad idea, please let me know.

Dotnet tool

I never build a dotnet tool so this was also a nice experiment. The resulting tool is a small web api with swagger ui, packaged as a dotnet tool. This is published through nuget.

Creating a dotnet tool is a great way to package a small command line application. To create a dotnet tool package from an existing dotnet core application you only need to add a few lines to your project file and call dotnet pack.

Extract all Azure AD admin accounts

E

Powershell is pretty powerful for all kind of administrative tasks, especially if you load some extra modules. We use the AzureAD module for a lot of tasks that can be (semi-)automated with the use of some script. In this post I described how to extract all users from Azure AD as a regular user, and what you should do about it.

Extracting users isn’t the only thing you can do with Azure AD powershell and this page shows how to export all Azure AD global admins (which can be executed by ANY user in your tenant unless you take action against that.)

Access Azure AD protected API with managed Identity

A

Managed identities are a great way to improve the security of your application. Microsoft “manages” the rotation of secrets and makes sure they cannot be extracted or used anywhere outside their platform. That is the reason I’m a big fan off Managed Identities!

You should use managed identities wherever possible. It’s possible to use managed identities for accessing (custom) api’s, an that is exactly what I’ll be explaining in this post. At the and you will be able to call any Azure AD protected api with using a managed identity.

Like what you're seeing? Consider Sharing on Twitter or Sponsoring me