-
Notifications
You must be signed in to change notification settings - Fork 416
Keyvault extensions
Microsoft.IdentityModel.KeyVaultExtensions contains classes to delegate to KeyVault crypto operations. Instead of loading a certificate and using its keys, you let KeyVault do it.
KeyVaultSecurityKey is a class that represents a cryptographic key stored in Azure Key Vault1.
To use KeyVaultSecurityKey, you need to create an instance of it with a key identifier and an optional authentication callback. For example:
// Create a KeyVaultSecurityKey from a key identifier
string keyIdentifier = "https://mykeyvault.vault.azure.net/keys/mykey/01234567890123456789012345678901";
var key = new KeyVaultSecurityKey(keyIdentifier, async (authority, resource, scope) =>
{
// Use your preferred authentication method to get an access token
var credential = new DefaultAzureCredential();
var token = await credential.GetTokenAsync(new TokenRequestContext(new[] { resource + "/.default" }));
return token.Token;
});
You can use the KeyVaultSecurityKey as a SecurityKey for signing and verifying operations using the KeyVaultSignatureProvider class decribed below.
KeyVaultSignatureProvider is a class that provides signing and verifying operations using Azure Key Vault
To use KeyVaultSignatureProvider, you need to create an instance of it with a SecurityKey
, a signature algorithm, and a boolean indicating whether it will create signatures or not. For example:
dotnet add package Microsoft.IdentityModel.KeyVaultExtensions
dotnet add package Azure.Identity
using Azure.Core;
using Azure.Identity;
using Microsoft.IdentityModel.KeyVaultExtensions;
using Microsoft.IdentityModel.Tokens;
using System.Text;
namespace KeyVaultExtensionE2E
{
internal class Program
{
static void Main(string[] args)
{
// Create a KeyVaultSecurityKey from a key identifier
string keyIdentifier = "https://mykeyvault.vault.azure.net/keys/mykey/01234567890123456789012345678901";
var key = new KeyVaultSecurityKey(keyIdentifier, async (authority, resource, scope) =>
{
// Use your preferred authentication method to get an access token
var credential = new DefaultAzureCredential();
var token = await credential.GetTokenAsync(new TokenRequestContext(new[] { resource + "/.default" }));
return token.Token;
});
// Create a KeyVaultSignatureProvider with the key, the algorithm, and the flag
var provider = new KeyVaultSignatureProvider(key, SecurityAlgorithms.RsaSha256, true);
// Sign some data using the provider
var data = Encoding.UTF8.GetBytes("Hello, world!");
var signature = provider.Sign(data);
// Verify the signature using the provider
var result = provider.Verify(data, signature);
}
}
}
You can use the Sign and Verify methods of the KeyVaultSignatureProvider class to produce and verify signatures over byte arrays using Azure Key Vault.
Note: These classes remain low level. If you want to use KeyVault to decrypt JWE in a web API, use Microosft.Identity.Web which let you specify the decrypt certificates using the configuration.
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions
- Signing key roll over