Azure客户端ID，租户和密钥库URI是否被视为机密? [英] Are the Azure Client Id, Tenant, and Key Vault URI considered secrets?

问题描述

我正在与Azure保持同步，并尝试遵循保护WPF和Xamarin.Forms应用程序安全的最佳实践.

I'm getting up to speed with Azure and trying to follow best practices for securing my WPF and Xamarin.Forms apps.

我正在使用Azure AD进行身份验证，并使用Key Vault来获取我的机密.

I'm using Azure AD for authentication and Key Vault for my secrets.

我的客户ID和租户设置如何?这些是建立与Azure的初始连接才能登录的必需条件.

What about my Client Id and Tenant settings? These are required to make the initial connection to Azure to log in.

调用密钥保险库也需要端点URI.

The endpoint URI is also required to make a call to the Key Vault.

是将客户端ID，租户，Key Vault端点视为机密，还是我对此进行了过度思考?我了解，如果不进行身份验证，任何人都无法访问或使用它们.

Are the Client Id, Tenant, Key Vault endpoint considered secrets or am I over thinking this. I understand without authenticating, no one can access or make use of these.

如何将它们检入Source Control?这样可以吗?

What about checking these into Source Control? Is this Ok?

非常感谢您的想法和见解.

Greatly appreciate your thoughts and insights.

卡尔

推荐答案

TenantId 几乎不是秘密.您可以使用以下网址获取任何Azure AD租户的租户元数据

TenantId is hardly a secret. You can get the tenant metadata of any Azure AD tenant using the following Url

https://login.microsoftonline.com/ {tenantID/domain}/.well-known/openid配置

https://login.microsoftonline.com/{tenantID/domain}/.well-known/openid-configuration

例如 https://login.microsoftonline.com/microsoft.onmicrosoft. com/.well-known/openid-configuration

ClientId 也在http Urls中运行，因此不难发现.因此，重点应该是使用令牌验证或

ClientId also travels in http Urls and thus is not that hard to find out. That's why the focus should be to effectively protect access to the app using either token validation or user assignment.

Azure资源的托管身份可用于帮助避免在源代码管理中签入任何凭据，并且对于KeyVault尤其有用.

Managed identities for Azure resources is available to help avoid checking in any credentials in source control and is specially useful with KeyVault.

这篇关于Azure客户端ID，租户和密钥库URI是否被视为机密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！