Azure Certificate based Authentication from App Service to Access Key Vault

In this post I would like to demonstrate the usage of Certificate based Authentication from a deployed App Service in Azure & thereby accessing Azure Key Vault.

Control Flow

Following picture depicts the entire Control Flow.

image

Follow the steps for Certificate creation: LINK 1

  • Create Certificate
  • Export to .CER format
  • Export to .PFX format

Following are the App Service & App Registration activities LINK 2

  • Create App Service
  • Associate the .PFX Certificate
  • Create App Registration
  • Associate the .CER Certificate

Following are the Key Vault Activities LINK 3

  • Create Key Vault
  • Create Secret
  • Provide necessary permissions to the App Registration

Create the Code LINK 4

  • Create Web API Project
  • Load the certificate
  • Access the Key Vault
  • Deploy the Application

Test the application

image

Note This is a real-world scenario & hence steps & complexities are high.

Certificate vs Password

Certificate based Authentication is more secured than Password because:

  • Certificate is difficult to copy, re-generate & install – hence more security
    • Certificate based Authentication enforces that the Token is only provided to Certificate holder
  • Password can be copied easily & played back – hence less security

Common Errors

  • Forbidden – Add necessary permission for App Registration in the Key Vault
  • Not Found – This should be Key Vault Secret Name is invalid

Contact

For any information OR consulting please contact me through Linked-in.

References

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-group-permissions-for-apps

Create App Service, App Registration & Associate Certificates

In this post we can do the following:

  • Create App Service
  • Associate .PFX Certificate
  • Create App Registration
  • Associate .CER Certificate

Create App Service

Go to Azure > App Service > Create New App Service (At least B1 Plan required to have TLS settings)

image

Associate .PFX Certificate

Go to App Service > TLS Settings blade > Private key certificates tab > Upload our .PFX certificate

image

Note the Thumbprint of the certificate.  You will need it in the upcoming steps of the article-series.

Create App Registration

Go to Azure > Active Directory > App Registrations > Create New App Registration

image

Noe the Client ID & Tenant ID.  You will need it in the upcoming steps of the article-series.

Associate .CER Certificate

Now go to the Certificates & secrets blade and upload the .CER certificate.

image

Congratulations!

You are now ready with your App Service & App Registration along with the Certificates.

Note

Few notes on Certificates:

  • Issuer Information – owner information
  • Private Key – for encryption using one secret – faster
  • Public Key – for decryption using another secret  – slower & better reliable
  • Thumbprint – for identification
  • Password – for installation

References

https://www.geeksforgeeks.org/difference-between-private-key-and-public-key

Article Series

This post is part of an Article Series:

Azure Certificate based Authentication from App Service to Access Key Vault