This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 23%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
I have run the Microsoft AAD B2C Sample webapp (called todolistclient) from GitHub (see 4-2-B2C) with some small enhancements such as using a redis server to cache AAD B2C authentication tokens. (As discussed in how-to-use-aad-with-kubernetes.html, I'm using the caching approach instead of OAUTH2_PROXY). This is working on my desktop development machine and is successfully authenticating me (using my AAD B2C tenant) when using my Microsoft Email account and my facebook account (with no docker/kubernetes).
I have been also following Create an ingress controller with a static public IP address in Azure Kubernetes Service (AKS) to deploy this to a kubernetes cluster.
Now when I launch chrome from cygwin bash using "chrome https://$PUBLIC_TODO_AKS_DNS/todolistclient" where todolistclient is the path in ingress and PUBLIC_TODO_AKS_DNS is the environment variable that contains the AKS domain name, my AADB2C tenant briefly appears in the browser's address bar indicating that it is successfully passing thru the kubernetes/ingress proxy and my todolistclient is trying to authenticate with my AADB2C tenant (indicating that I have updated my the reply URL in my tenant correctly by inserting "/todolistclient" immediately prior to "/signin-oidc").
However I get this in the browser:
Error.
An error occurred while processing your request.
Request ID: |a24109a5-489efbc4165cb4ae.
Development Mode
Swapping to Development environment will display more detailed information about the error that occurred.
Development environment should not be enabled in deployed applications, as it can result in sensitive information from exceptions being displayed to end users. For local debugging, development environment can be enabled by setting the ASPNETCORE_ENVIRONMENT environment variable to Development, and restarting the application.
© 2018 - WebApp_OpenIDConnect_DotNet
OK, I go back to the source and modify the configure function to always be in dev mode:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IHostApplicationLifetime lifetime, IDistributedCache cache)
{
app.UsePathBase(new Microsoft.AspNetCore.Http.PathString("/todolistclient"));
if (true || env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
I explicitly use VS2019 to rebuild and publish and I get the same error message from the browser...
How could this be? It looks like my changes to always use dev mode were never deployed. However, I check Dockerhub and see that I have a recent deployment and the digest matches the digest I see when I describe the todolistclient pod.
VS2019 said the rebuild was successful and the deployment was successful...
Whoops! I see the instructions concerning ASPNETCORE_ENVIRONMENT so I edit my yaml for the Kubernetes deployment and service and redeploy again... No luck... Same error message.
Also have deployed another another ASP.NET Core Sample WebApp callled KubernetesHelloASPNET that does not authenticate to the same Ingress/Kubernetes cluster (with a different ingress path, of course). This works fine.
So I deleted my AKS cluster to save money. If the Microsoft AAD team would like me to bring it up again so you can reproduce the problem, let me know. I was hesitating to publish my domain name to the public internet for security reasons.
Thanks
Siegfried
Tue Sep 29 2020 Evening Update
I forgot to use kubectl to look at the pod logs... Looks like I'm not authenticating.... It does not prompt me for username and password possibly because it is remembering my creds via some cookies. I still don't know what is wrong, however. This todolistclient authenticates via AAD B2C on my desktop with no docker/kubernetes just fine.
^[[40m^[[1m^[[33mwarn^[[39m^[[22m^[[49m: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[60]
Storing keys in a directory '/root/.aspnet/DataProtection-Keys' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[0]
User profile is available. Using '/root/.aspnet/DataProtection-Keys' as key repository; keys will not be encrypted at rest.
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[58]
Creating key {79d67135-9201-4407-bb1d-9ff9177226fc} with creation date 2020-09-29 22:48:37Z, activation date 2020-09-29 22:48:37Z, and expiration date 2020-12-28 22:48:37Z.
^[[40m^[[1m^[[33mwarn^[[39m^[[22m^[[49m: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
No XML encryptor configured. Key {79d67135-9201-4407-bb1d-9ff9177226fc} may be persisted to storage in unencrypted form.
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[39]
Writing data to file '/root/.aspnet/DataProtection-Keys/key-79d67135-9201-4407-bb1d-9ff9177226fc.xml'.
^[[40m^[[1m^[[33mwarn^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Server.Kestrel[0]
Overriding address(es) 'http://+:80'. Binding to endpoints defined in UseKestrel() instead.
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.Hosting.Lifetime[0]
Now listening on: http://0.0.0.0:80
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.Hosting.Lifetime[0]
Now listening on: http://0.0.0.0:443
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.Hosting.Lifetime[0]
Hosting environment: Development
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.Hosting.Lifetime[0]
Content root path: /app
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/1.1 GET http://siegdnsname.westus2.cloudapp.azure.com/todolistclient/MicrosoftIdentity/Account/Error
^[[40m^[[1m^[[33mwarn^[[39m^[[22m^[[49m: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]
Failed to determine the https port for redirect.
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[7]
OpenIdConnect was not authenticated. Failure message: Not authenticated
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Routing.EndpointMiddleware[0]
Executing endpoint '/Account/Error'
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[3]
Route matched with {page = "/Account/Error", area = "MicrosoftIdentity", action = "", controller = ""}. Executing page /Account/Error
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[101]
Executing handler method Microsoft.Identity.Web.UI.Areas.MicrosoftIdentity.Pages.Account.ErrorModel.OnGet - ModelState is Valid
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[102]
Executed handler method OnGet, returned result .
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[103]
Executing an implicit handler method - ModelState is Valid
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[104]
Executed an implicit handler method, returned result Microsoft.AspNetCore.Mvc.RazorPages.PageResult.
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[4]
Executed page /Account/Error in 105.3644ms
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Routing.EndpointMiddleware[1]
Executed endpoint '/Account/Error'
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished in 652.2536ms 200 text/html; charset=utf-8
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/1.1 GET http://siegdnsname.westus2.cloudapp.azure.com/todolistclient/css/site.css
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/1.1 GET http://siegdnsname.westus2.cloudapp.azure.com/todolistclient/lib/bootstrap/dist/js/bootstrap.js
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/lib/bootstrap/dist/js/bootstrap.js'. Physical path: '/app/wwwroot/lib/bootstrap/dist/js/bootstrap.js'
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/css/site.css'. Physical path: '/app/wwwroot/css/site.css'
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished in 9.0463ms 200 application/javascript
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished in 11.4568ms 200 text/css
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/1.1 GET http://siegdnsname.westus2.cloudapp.azure.com/todolistclient/lib/bootstrap/dist/fonts/glyphicons-halflings-regular.woff2
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/lib/bootstrap/dist/fonts/glyphicons-halflings-regular.woff2'. Physical path: '/app/wwwroot/lib/bootstrap/dist/fonts/glyphicons-halflings-regular.woff2'
^[[40m^[[32minfo^[[39m^[[22m^[[49m: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished in 3.0211ms 200 font/woff2
Mon Oct 05 2020 Morning Update
I've been trying to cut and paste this code from KrishnenduGhosh's link and I'm having some trouble.
var storageAccount = CloudStorageAccount.Parse("<storage account connection string">);
var client = storageAccount.CreateCloudBlobClient();
var container = client.GetContainerReference("<key store container name>");
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
services.AddDataProtection()
//This blob must already exist before the application is run
.PersistKeysToAzureBlobStorage(container, "<key store blob name>")
//Removing this line below for an initial run will ensure the file is created correctly
.ProtectKeysWithAzureKeyVault(keyVaultClient, "<keyIdentifier>");
(1) PersistKeysToAzureBlobStorage does not compile and I'm wondering which override I should use. I was thinking about calling it with the
(a) blob connection string,
(b) a container name string (is the same name I passed to GetContainerReference and used with the "az storage container create command"?) and
(c) the blob name (is this just a name I make up that is never used again?).
(2) ProtectKeysWithAzureKeyVault does not compile either. It cannot convert the keyVaultClient to a system.Uri, and cannot convert my keyVaultKeyname string to a Azure.Core.TokenCredential. Can you provide me some guidance on providing a URI and creating a TokenCredential? There are many descendants of TokenCredential. Which one would be appropriate when running inside the ConfigureServices functions of an ASP.NET Core Web App inside a K8 replica set?
Tue Nov 10 2020 Morning Update:
services.AddDataProtection()
//This blob must already exist before the application is run
.PersistKeysToAzureBlobStorage("<storage account connection string", "<key store container name>", "<key store blob name>")
//Removing this line below for an initial run will ensure the file is created correctly
.ProtectKeysWithAzureKeyVault(new Uri("<keyIdentifier>"), new DefaultAzureCredential());
Here is my actual code as printed in my pod log:
var dpd= services.AddDataProtection();
dpd=dpd.PersistKeysToAzureBlobStorage(connectionString: storageConnection, containerName: "dataprotection", blobName: "keys.xml");
//dpd=dpd.ProtectKeysWithAzureKeyVault(keyIdentifier: new Uri("https://keyvaultname.vault.azure.net/keys/keyvaultkeyname/") /*vault key identifier used for key encryption*/, tokenCredential: new DefaultAzureCredential()) ;
services.AddDistributedMemoryCache();
As per the comments I commented out the call to ProtectKeysWithAzureKeyVault. However, when I visit the web site I see these errors in the pod log:
Request starting HTTP/1.1 GET http://xxxxxxxxxxx.westus2.cloudapp.azure.com/todolistclient
[40m [1m [33mwarn [39m [22m [49m: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]
Failed to determine the https port for redirect.
[40m [32minfo [39m [22m [49m: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[7]
OpenIdConnect was not authenticated. Failure message: Not authenticated
[40m [32minfo [39m [22m [49m: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed.
[40m [32minfo [39m [22m [49m: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[12]
AuthenticationScheme: OpenIdConnect was challenged.
[40m [32minfo [39m [22m [49m: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished in 1375.6286ms 302
[40m [32minfo [39m [22m [49m: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/1.1 GET http://xxxxxx.westus2.cloudapp.azure.com/todolistclient/MicrosoftIdentity/Account/Error
[40m [32minfo [39m [22m [49m: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[7]
OpenIdConnect was not authenticated. Failure message: Not authenticated
[40m [32minfo [39m [22m [49m: Microsoft.AspNetCore.Routing.EndpointMiddleware[0]
Executing endpoint '/Account/Error'
Is this an AAD problem or an azure storage problem or ASP.NET DataProtection problem? I thought about using fiddler to look at the traffic, but I don't know how to do that when it is running inside a K8 cluster...
The browser display indicated that I should turn on developer mode by setting ASPNETCORE_ENVIRONMENT=Development and I confirmed that this is true with my log statements in Startup. Nevertheless, the browser display did not provide any helpful details and indicated that I was not in developer mode.
Here is the actual error on the browser display:
An error occurred while processing your request.
Request ID: |4323a307-4096636ba1555539.
Development Mode
Swapping to Development environment will display more detailed information about the error that occurred.
Development environment should not be enabled in deployed applications, as it can result in sensitive information from exceptions being displayed to end users. For
local debugging, development environment can be enabled by setting the ASPNETCORE_ENVIRONMENT environment variable to Development, and restarting the
application.
© 2018 - WebApp_OpenIDConnect_DotNet
How do I turn developer mode on?
Mon Dec 14 2020 Update:
Progress: I am using redis to cache my AADB2C tokens and apparently Kubernetes requires my redis server to be in the same namespace as my todolistclient and the stack trace for the failure to connect to the redis server does not show up in the kubernetes pod logs for some strange reason... But it does show up in Bridge to Kubernetes... That problem is now fixed...
So I configure and deploy my web app and configure ingress and point my EDGE browser at my todolistclient via the ingress controller. I get the unhelpful display above
in the browser because developer mode is turned off and apparently it cannot be turned on while in Kubernetes. I check my browser for the cookies for the site and I delete the single cookie and try again... No change... At no time does my AADB2C tenant prompt me for credentials like it used to do when running with no docker and no kubernetes.
I believe this is a AADB2C problem. I have a public static IP and domain for my exposed ingress controller inside my kubernetes cluster. The ingress controller seems to be configured correctly because it is successfully forwarding traffic to the todolistclient and some other test sites inside my AKS cluster.
From the todolistclient pod logs I see:
Request starting HTTP/1.1 POST http://xxxxxxxxxxxxxx.westus2.cloudapp.azure.com/todolistclient/signin-oidc application/x-www-form-urlencoded 754
[40m [1m [33mwarn [39m [22m [49m: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[15]
'.AspNetCore.Correlation.OpenIdConnect.qbq-89SbFqA57KLy9tkNPeqsUmuukOrdAoCLv_CAA4Q' cookie not found.
[40m [32minfo [39m [22m [49m: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[4]
Error from RemoteAuthentication: Correlation failed..
[40m [32minfo [39m [22m [49m: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished in 22.7751ms 302
[40m [32minfo [39m [22m [49m: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/1.1 GET http://xxxxxxxxxxxx.westus2.cloudapp.azure.com/todolistclient/MicrosoftIdentity/Account/Error
[40m [32minfo [39m [22m [49m: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[7]
OpenIdConnect was not authenticated. Failure message: Not authenticated
[40m [32minfo [39m [22m [49m: Microsoft.AspNetCore.Routing.EndpointMiddleware[0]
Executing endpoint '/Account/Error'
In the ingress pod logs I see this:
10.244.1.1 - - [15/Dec/2020:02:18:57 +0000] "GET /todolistclient/MicrosoftIdentity/Account/SignIn HTTP/2.0" 302 0
"https://xxxxxxxxxxx.westus2.cloudapp.azure.com/todolistclient/MicrosoftIdentity/Account/Error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60" 57 0.006 [ingress-basic-todolistclient-80] [] 10.244.0.7:80 0 0.004 302
<bighexnumber>
10.244.1.1 - - [15/Dec/2020:02:18:57 +0000] "POST /todolistclient/signin-oidc HTTP/2.0" 302 0 "https://mytenantname.b2clogin.com/" "Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60" 792 0.002 [ingress-basic-todolistclient-80] []
10.244.0.7:80 0 0.000 302 8 <another big hex number>
10.244.1.1 - - [15/Dec/2020:02:18:57 +0000] "GET /todolistclient/MicrosoftIdentity/Account/Error HTTP/2.0" 200 1044 "https://myaadb2ctenant.b2clogin.com/"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60" 56 0.006 [ingress-basic-
todolistclient-80] [] 10.244.0.7:80 2788 0.008 200 <yetanotherbighexnumber>
The AADB2C callback looks correct, the client web site URLs look, and my tenant URL looks correct...
So it is not authenticating because "Correlation failed..." what does that mean and how do I fix it?
Fri Jan 08 2021 Update:
Progress: I can now run the example 4-2-B2C inside Azure Kubernetes and authenticate the client...
(1) How do I confirm that my calls to AddDataProtection...PersistKeysToAzureBlobStorage...PersistKeysToAzureBlobStorage are working? I enhanced the C# client to add a cookie and it looks like the cookie is persisting in between sesssions... I was hoping to see evidence of this by downloading the blob but it was not obvious after looking at the contents of the blob... Is there a better way to confirm that DataProtection is working?
(2) Now I want to run the REST server part as a kubernetes service... Is the technique the same?
(2A) Add a calls to AddDataProtection...PersistKeysToAzureBlobStorage...PersistKeysToAzureBlobStorage and specify a different blob name?
(2B) Do I need to also call AddDistributedRedisCache like I do in the client? Can I use the same redis cache as I use for the client?
Thank you
Siegfried
@Siegfried Heintze
Thanks for your post and all the details!
I've reached out to my team regarding this issue and will update you as soon as possible.
If you have any questions in the meantime, please let me know.
Thank you for your time and patience throughout this issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 79%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKG%3C/text%3E%3C/svg%3E)
It looks like you have not configured asp.net core Data Protection suitable for a deployed environment. Please follow https://learn.microsoft.com/aspnet/core/security/data-protection/configuration/overview to persist in shared store.
Also, on a side note, 4-2-B2C has been updated recently to use the latest Microsoft Identity Web packages which is now GA (so far was in preview).
I saw your response yesterday and started studying that link... Thanks for the prompt response... I'll be studying more today...
See my update. Some sample code that compiles would be greatly appreciated.
Install the below nugets:
Then the code:
services
.AddDataProtection()
.PersistKeysToAzureBlobStorage("<connection string>", "<container name>", "<blob name>")
.ProtectKeysWithAzureKeyVault(new Uri("<Key-ID>"), new ClientSecretCredential("<tenant id>", "<client id>", "<client secret>"));
Note "<Key-ID>" above should be like "https://{keyvault-name}.vault.azure.net/keys/{key-name}"
You can also access KeyVault using Managed Service Identity, but leaving that for now.
Please tell me more about the client stuff. When I "az login" I see a tenantId and an "id" and my subscription. Is this "id" the clientId I want? Do I use this tenantId ?
This tenantID is different than my AADB2C tenant I created to authenticate.
How do I get the client secret?
Tenant ID is the Azure AD tenant of your Azure subscription (different than B2C).
Client ID and Secret are credentials for Azure AD application to authenticate to key vault. https://learn.microsoft.com/en-us/azure/key-vault/general/authentication
To create an AAD app with credential to use for key vault auth, follow https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Wow! A lot to read. Thank you...
I'm thinking that to use the DataProtection feature (which is to share cookies and tokens with other instances of the Kestrel web server-- correct?) the SAS approach is overkill. Do you agree?
Now what about System v User assigned managed entity? I'm thinking that K8 replica sets could place different instances of the Kestrel web server on different VMs and therefor I would need user assigned managed entities?
This looks good for user assigned managed entities: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli
This looks good except it uses System Assigned Managed Entities: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage. Can the approach used here work with user assigned managed entities?
I'm thinking that to use the DataProtection feature (which is to share cookies and tokens with other instances of the Kestrel web server-- correct?) the SAS approach is overkill. Do you agree?
Not sure if I fully understood what you meant.
And regarding managed identity for AKS, as I already shared a couple of replies above, this is the one to follow https://learn.microsoft.com/azure/aks/use-managed-identity
Updated official documentation Configure ASP.NET Core Data Protection.
As per the comments I commented out the call to ProtectKeysWithAzureKeyVault.
Not sure which comment, you are referring. Without that code, how will it get the common encryption key?
Krishnendu:
Yahoo! I have been eagerly awaiting your response!
Please see this page. Let me redundantly paste the code here from that web page:
services.AddDataProtection()
//This blob must already exist before the application is run
.PersistKeysToAzureBlobStorage(...)
**//Removing this line below for an initial run will ensure the file is created correctly**
.ProtectKeysWithAzureKeyVault(new Uri("<keyIdentifier>"), new DefaultAzureCredential())
See Jona W's blog. Is it reasonable to get the PersistKeysToAzureBlobStorage working first and then add ProtectKeysWithAzureKeyVault? Is it reasonable that AAD B2C authentication should work w/o the keyvault?
We recommended upgrading to the Azure.Extensions.AspNetCore.DataProtection.Blobs and Azure.Extensions.AspNetCore.DataProtection.Keys packages because the API provided automatically creates the blob if it doesn't exist.
Krishnendu:
Thanks! I forgot to mention that I had already done this.
So I'm looking at visual studio and for Azure.Extensions.AspNetCore.DataProtection.Blobs it says I am using the latest stable v 1.0.1 (and this is also the latest) and for Azure.Extensions.AspNetCore.DataProtection.Keys I have the latest stable v 1.0.2 (and this is also the latest).
I believe I have followed your recommendation. It appears that it has automatically created the blob. Does this mean that I no longer need to comment out the call to "ProtectKeysWthAzureKeyVault" on the first try?
Nevertheless, should it have still worked with having commented out the "ProtectKeysWithAzurekeyVault"?
Siegfried
OK, I ran it again and used beyondcompre to compare the log files after having uncommented the line to call
dpd.ProtectKeysWithAzureKeyVault(keyIdentifier: new Uri("https://kv-todo-temp.vault.azure.net/keys/kvk-todo/") /*vault key identifier used for key encryption*/, tokenCredential: new DefaultAzureCredential()) ;
The only change was in the log files: the connection string for the storage account changed as a result of
az.cmd storage account show-connection-string -g $AZ_RESOURCE_GROUP_NAME -n $AZ_STORAGE_ACCOUNT
This surprises me... will I have to always run this command before restarting the web app?
The error message in the browser was identical.
I am eagerly awaiting your guidence...
Thanks
Siegfried
If you have not setup managed identity, can you change
tokenCredential: new DefaultAzureCredential())
to
tokenCredential: new ClientSecretCredential("<tenant id>", "<client id>", "<client secret>"))
'DefaultAzureCredential' expects you to setup managed identity or environmental variable like below. If not, you should explicitly set 'ClientSecretCredential' with you own AAD app credential. But make sure, you give the identity proper permission to keys in keyvault. https://learn.microsoft.com/azure/key-vault/general/assign-access-policy-portal
Regarding storage account connection string, it should not change on it's own. So there must have been someone regenerated storage account key. Use the updated connection string. No you do not need to do that every time unless you change storage key.
Ok, I tried both approaches
(1) As per your link use-managed-identity I did
az aks create -g rg-todo-temp -n aks-todo-006 --enable-managed-identity
az aks show -g rg-todo-temp -n aks-todo-006 --query "identity"
az identity list
I then used portal.azure.com to add the newly created identities to the access control (as contributors and storage blob contributors) to my storage account and the key vault. I deleted and re-deployed my AADB2C web app and observed the same errors in the pod logs and browser.
(2) I also tried the approach of
az.cmd aks create -g rg-todo-temp -n aks-todo-006 --service-principal xxxxxxxxxxxxxxxxxxxxxxx --client-secret xxxxxxxxxxxxxxxxxxxxxxxxx
This service principle was added (using the portal.azure.com) as both a contributor and storage blob contributor to the storage account. I used the
tokenCredential: new ClientSecretCredential("<tenant id>", "<client id>", "<client secret>"))
and killed the web app deployment and deployed again and same errors.
I eagerly await your next response!
Thanks
Siegfried
For the key vault, you need add the identity in the "Access Policy', not 'Access Control' with Key permissions. https://learn.microsoft.com/azure/key-vault/general/assign-access-policy-portal. Did you do that? Sorry was not too sure from your reply, so reconfirming.
Oops! I confused access control with access policy and I did not add an identity access policy on Saturday...
Consider strategy #1: I use
az.cmd aks create -g rg-todo-temp -n aks-todo-006 --enable-managed-identity
az.cmd aks show -g rg-todo-temp -n aks-todo-006 --query "identity"
Unfortunately, when I go to the key vault to add an access policy, the newly created principleId is not in the list of candidates when I click on "+add access policy" it gives me a list and the newly created principalId is not in the list... How do I proceed?
Consider Strategy #2: I do
az.cmd aks show -g rg-todo-temp -n aks-todo-006 --query "identity"
I see this in the candidate list of principals that I can add for the key-vault access policy! Hurray! However, how do I create a new AKS cluster with this command:
az aks update -g <RGName> -n <AKSName> --enable-managed-identity --assign-identity <UserAssignedIdentityResourceID>
What is this UserAssignedIdentityResourceID?
UserAssignedIdentityResourceID is general formatted ID of the user assigned managed identity e.g. "/subscriptions/<subscriptionid>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity"
https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview
Looks like the documentation at use-managed-identity is out of date because I'm getting errors from the command
az aks update -g $AZ_RESOURCE_GROUP_NAME -n $AZ_K8CLUSTER_NAME --enable-managed-identity --assign-identity $AZ_IDENTITY_TODO_USER_ASSIGNED_IDENTITY_RESOURCE_ID
UnrecognizedArgumentError: unrecognized arguments: --enable-managed-identity --assign-identity $AZ_IDENTITY_TODO_USER_ASSIGNED_IDENTITY_RESOURCE_ID
Try this: 'az aks update --attach-acr acrName --name MyManagedCluster --resource-group MyResourceGroup'
When I do az aks update --help there is no --assign-identity switch. How do I attach my AKS cluster to my managanged identity?
I just upgraded az cli v 2.14.2
I am getting a system assigned identity when I create the cluster but the principalId of the managed identity is not in the principal list when I use portal.azure.com to add an access policy to my key vault