This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 82%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
I'm having issues with getting a default Blazor WebAssembly Core 6 project to connect to Azure Key Vault so that I can store application specific data, like API Tokens and Connection Strings, etc...
I don't want a user to have a certificate installed on their device, I want it so that the Certificate is installed on Azure Active Directory and Azure Key Vault since the Application needs the secrets and not the user.
I've done the following:
Azure Active Directory
Azure Key Vault
I'm deploying the test application to our development server, not hosting the application in Azure, and here is the code I am using.
I'm not sure what I am doing wrong but I've spent a lot of time looking and looking and cannot find a solution that
program.cs
using AzureKeyVaultTestCore6;
using Azure.Identity;
using Microsoft.AspNetCore.Components.Web;
using Microsoft.AspNetCore.Components.WebAssembly.Hosting;
var builder = WebAssemblyHostBuilder.CreateDefault(args);
string _corsPolicyName = "AllowAll";
builder.Services.AddCors(options =>
{
options.AddPolicy(name: _corsPolicyName, builder =>
builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials()
);
});
builder.Configuration.AddAzureKeyVault(
new Uri($"https://{builder.Configuration["KeyVault:Vault"]}.vault.azure.net/"),
new ClientCertificateCredential(
builder.Configuration["KeyVault:TenantId"],
builder.Configuration["KeyVault:ClientId"],
builder.Configuration["KeyVault:ThumbPrint"]
)
);
builder.RootComponents.Add<App>("#app");
builder.RootComponents.Add<HeadOutlet>("head::after");
builder.Services.AddScoped(sp => new HttpClient { BaseAddress = new Uri(builder.HostEnvironment.BaseAddress) });
await builder.Build().RunAsync();
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
It makes no sense for a client browser app to access the key vault. Anyone can get the access keys from the browsers debug tools and access all key vault data. For this reason CORS is not supported.
The goal is to keep sensitive data secure with a Blazor Client Application, which from the information I have read Microsoft does support Azure Key Vault with Web Applications, either Azure Hosted or Non-Azure Hosted.
Its a blank new project and I deploy it to our development instance, go to the landing page and get a CORS preflight request, again just the default setup, see above. If I remove the Azure Key Vault configuration I can access the default application.
Microsoft's documentation is pushing a Managed Azure Application, though the video below shows what I would like to do, have the application access the key vault using a certificate and appropriate roles.
This is a video that explains how to do this, but its example project is Core 5, which has startup.cs, which I prefer over the default of Core 6 but don't know how to configure Core 5 to a Core 6 since everything is hidden in the compiler in core 6
https://www.youtube.com/watch?v=b21EQvfjvHc
The idea here is to allow the APPLICATION access to the Key Vault and not the User since its the application that needs the information for communications to other API's, vendor specific, etc...
If you say it's not supported, what options are there to secure sensitive information in a Blazor Client Application if not hosted in Azure?
You miss the point. A server based web application, hosted on premise or in the cloud can access the key vault securely.
A browser hosted application (blazor or JavaScript) can not security access the key store. Unlike a secure server app, a client app should only have access to information the user is allowed to see. You can use authentication to restrict what they are allowed to access.
I heard you and got what you are saying but from what I have read and seen you can access the Key Vault more securely than just leaving your API Token or Connection string in the appsetting.json file which the end users only need to type /appsettings.json to see in the browser!
Having a client application in our case is because we need the off-line capability which leaves us with this security issue of storing secret information like a vendors API Token, or connection string information.
I'm asking for suggestions on doing this as secure as possible and based on what I've seen it can be done.
I appreciate your responses though what do you propose be done to securely store and access this type of information?
on a server based app, you typically would not put secure values in appsetting.json because its typically checked into source control. storing the values in the key vault solves this. you then just need a way to safely configure the key value connection. this is usually done by:
1) hosting the app in azure and using Azure security
2) update the key vault connection string on deployment
3) use environment variables
4) use some security supplied the hosting service
in your case you are trying to secure a browser client app. the user has access to all network traffic, and source. you can obfuscate the settings, but not secure. you can hard code an encryption key in the app, but the user could find. this won't help with vendor api keys, as a browser network trace will display the key.
you should assume the client has access to settings, and only allow then to do operations and access data they are allowed to access. a proxy api written for this is typically used. then the actual setting are only known to the proxy api, and the proxy api can limit what the user is allowed to do. for instance limit a vendor api call to only the one required by the app, and only with the values the api would allow.