TechQA.

Can I force a refresh of an AuthenticationHandler following a key rotation via Azure Key Vault without restarting the app?

50 views Asked by At

I have a web app hosted in Azure that uses external login providers that are configured at start up. The clientId and Secrets are read in from Azure Key Vault which is set up to reload on a regular basis.

I want to be able to rotate the secrets in Key Vault and have the login providers pick up the new values without restarting the app.

Is there a way of getting the providers to use the new values without an app restart?

NOTE: I'm updating key vault values by adding a new version - could this be why the old version is still being used after key vault config is reloaded (the new version is used if I restart the app)

Using the ReloadInterval on the Key Vault setup, I'm able to successfully reload new values from Key Vault into my IConfiguration instance and I've proven the web-app can access the new values at runtime via IConfiguration querying, however, the implementations of the login providers are still using the old values (presumably because they're set up as singletons).

From digging around in the service collection at runtime I can see that the underlying type on the AuthenticationHandlers has an IOptionsMonitor instance but haven't worked out how/if that is something that can be configured to help out.

Code that pulls in config from key vault on start up

builder.Configuration.AddAzureKeyVault(
                       new Uri($"https://{builder.Configuration["SiteSettings:KeyVaultName"]}.vault.azure.net/"),
                       new DefaultAzureCredential(new DefaultAzureCredentialOptions
                       {
                           ManagedIdentityClientId = builder.Configuration["SiteSettings:DefaultManagedIdentityClientId"]
                       }),
                       new AzureKeyVaultConfigurationOptions()
                       {
                           ReloadInterval = TimeSpan.FromMinutes(1), //test value (usually 12 hours)
                           Manager = new KeyVaultSecretManager()
                       });

Code used to set up the providers on start up

services.AddAuthentication()
                    .AddGoogle(options =>
                    {
                        options.ClientId = Configuration[AuthenticationSettings.GoogleClientIdKey];
                        options.ClientSecret = Configuration[AuthenticationSettings.GoogleClientSecretKey];
                    })
                    .AddMicrosoftAccount(options =>
                    {
                        options.ClientId = Configuration[AuthenticationSettings.MicrosoftClientIdKey];
                        options.ClientSecret = Configuration[AuthenticationSettings.MicrosoftClientSecretKey];
                    });
authentication azure-keyvault key-rotation
Original Q&A
0

There are 0 answers

Related Questions in AUTHENTICATION

Related Questions in AZURE-KEYVAULT

Related Questions in KEY-ROTATION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions