Azure Key Vault Authentication failing from desktop application

Question

I am trying to access Azure key vault form my electron desktop application. My App is registered on Azure but I don't want to expose my app secret to create credentials and also my app isn't hosted on Azure, DefaultAzureCredential is not yielding desired results and behaving differently with different users on different machines.

I tried using ClientAssertionCredential as follows

const tokenCredential = new ClientAssertionCredential( 'my-tenant-Id', 'my-registered-app-client-Id', callback function returning logged in user's Auth IdToken );

var secretClient = new SecretClient('key vault uri', tokenCredential);

But I am getting run time exception

"Error while connecting Azure Vault AuthenticationRequiredError: invalid_client: AADSTS70025: Client application has no configured federated identity credentials."

Any solution for the error?

Answer 1

Hi Shashi, Welcome to MS Q&A

The error message "AADSTS7000215: Invalid client secret provided." means that the client secret is incorrect or expired either in the app registration or in a different reference.

To resolve this issue, you should validate that your app registration has the correct value recorded for the client secret and ensure that all of the following values are correctly configured:

Then, since you are using Key Vault, you need to create a secret with a name of your choice in the Key Vault and copy the client secret from the app registration into the “value” field of the Key Vault secret. https://learn.microsoft.com/en-us/azure/databricks/sql/admin/data-access-configuration#--configure-a-service-principal

See example:

PUT https://myvault.vault.azure.net//secrets/crpsecret?api-version=7.4

{
  "value": "mysecretvalue"
}

If you have already done these steps and verified that the client secret in the app registrations matches the value field in the Key Vault secret, you can troubleshoot the following:

1. Verify that the unexpired secret's expiration date is reflecting properly. You can check the expiration date of the client secret in the Azure portal and generate a new secret if it has expired.
2. Ensure that the client secret is not being modified or corrupted during copy-pasting. Sometimes extra spaces or characters can be added while copying the client secret. Validate that the client secret is copied correctly and without any extra characters.
3. Check if the client secret is being referenced correctly in all of your config settings. Ensure that the client secret is being referenced by its value and not its ID.

If none of the above steps work, please provide more information about and screenshots of your app registration so that I can assist you better.

Additionally, there are some good external resources on the databricks forums: https://community.databricks.com/s/question/0D53f00001lvKfHCAU/how-do-i-configure-an-azure-databricks-external-metastore-to-use-a-service-principal-rather-than-a-sql-user-for-authentication

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.

Thanks

Deepanshu

Answer 2

your use case is not clear. ClientAssertionCredential is used by an azure hosted service, to allow the service to get an its service principal access token from an authorized user token. It is not used by desktop applications.

your desktop app should be calling a webapi, that authenticates the user/app, then accesses the key vault on behalf of the user. your desktop app can then store the returned key in a secure persistent sore.