-
Notifications
You must be signed in to change notification settings - Fork 236
Client secrets from KeyVault
Jean-Marc Prieur edited this page Aug 6, 2025
·
1 revision
Microsoft does not encourage the usage of Client secrets. It's better to use FIC+MSI or client certificates. Microsoft Identity Web does not support yet getting the client secrets from KeyVault.
If you really want to use client secrets and store them in KeyVault, you can use the following work around:
-
In your configuration, for the CredentialDescription, use SourceType=ClientSecret and set both KeyVaultUrl (to the URL of your KeyVault) and ClientSecret (to the name of the secret in KeyVault)
-
In your initialization code use the following:
services.Configure<MicrosoftIdentityApplicationOptions>(options => { // Get the first credential description var credentials = options.ClientCredentials!.First(); // If it's a secret, get it from KeyVault (Until IdWeb supports KeyVault secrets directly) if (credentials.SourceType == CredentialSource.ClientSecret && !string.IsNullOrEmpty(credentials.KeyVaultUrl)) { var keyVault = new SecretClient(new Uri(keyVaultInstance), new DefaultAzureCredential()); var secret = keyVault.GetSecret(credentials.ClientSecret).Value; credentials.ClientSecret = secret ; credentials.KeyVaultUrl = string.Empty; } });
- Home
- Why use Microsoft Identity Web?
- Web apps
- Web APIs
- Minimal support for .NET FW Classic
- Logging
- Azure AD B2C limitations
- Samples
- Certificates
- Managed Identity as Federated Credential
- Federated Credentials from other Identity Provider
- Extensibility: Bring your own credential
- Get client secrets from KeyVault
- Web apps
- Web app samples
- Web app template
- Call an API from a web app
- Managing incremental consent and conditional access
- Web app troubleshooting
- Deploy to App Services Linux containers or with proxies
- SameSite cookies
- Hybrid SPA
- Web APIs
- Web API samples
- Web API template
- Call an API from a web API
- Token Decryption
- Web API troubleshooting
- web API protected by ACLs instead of app roles
- gRPC apps
- Azure Functions
- Long running processes in web APIs
- Authorization policies
- Generic API
- Customization
- Logging
- Calling graph with specific scopes/tenant
- Multiple Authentication Schemes
- Utility classes
- Setting FIC+MSI
- Mixing web app and web API
- Deploying to Azure App Services
- Azure AD B2C issuer claim support
- Performance
- specify Microsoft Graph scopes and app-permissions
- Integrate with Azure App Services authentication
- Ajax calls and incremental consent and conditional access
- Back channel proxys
- Client capabilities