如何在不使用App Service的应用程序设置的情况下保护Azure客户端ID和密钥的安全 [英] How to secure Azure client Id and Secret without using App Settings of App Service

问题描述

我正在使用Azure KeyVault存储我的数据库凭据，现在要访问它，我已经在服务代码中对客户端ID和客户端密码进行了硬编码.我该如何避免这种硬编码不安全?

I am using Azure KeyVault to store my database credentials, Now to access it I have hardcoded client id and client secret in service code. How can I avoid this hard coding as its insecure?

1) I don't want to store client id and client secret in certificates, as 
deployed certificates are again insecure
2) My app is not hosted on Azure App service, so I can't use App Settings to 
store client id and client secret.

是否只有在以下情况下才能使Azure Active Directory返回访问令牌:请求是从我的应用网址发出的?别的如何保护客户端ID和客户端机密免受黑客攻击

Is there a way to make Azure Active Directory return access token only if a request is made from my app URL? else How can I protect client id and client secret from hackers

推荐答案

如果在Azure App Service或Azure VM上部署服务，则可以启用托管服务身份(MSI)并将Azure App服务的服务主体添加到Azure Key保险柜.MSI允许在关联的Azure服务本身上生成服务主体.这意味着您不再需要存储客户ID和客户机密.Azure AD直接与您的Azure App Service一起使用.

If you deploy your service on Azure App Service or Azure VM, you can enable Managed Service Identity (MSI) and add the Azure App service’s service principal to Azure Key Vault. MSI allows to generate service principal on associated Azure service itself. It means you don’t need to store client Id and client secret anymore. Azure AD works directly with your Azure App Service.

以下是Azure MSI的介绍https://docs.microsoft.com/zh-CN/azure/active-directory/managed-service-identity/overview

Here is the introduction of Azure MSI https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview

不的另一种使用客户端ID和客户端机密的方法是通过证书获取访问令牌.只需将证书上载到Azure Web App证书存储中并调用该证书以获取指纹，即可完成此操作.您可以参考本文https://docs.microsoft.com/zh-CN/azure/key-vault/key-vault-use-from-web-application

Another approach of NOT using client ID and client secret is to get access token via certificate. It can be done simply by uploading your certificate into Azure Web App certificate store and call to the certificate to get thumbprint. You can refer to this article https://docs.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application

这篇关于如何在不使用App Service的应用程序设置的情况下保护Azure客户端ID和密钥的安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！