I have an Azure Function that slices and processes a .CSV file uploaded to Azure Blob Storage, and stores the data extracted from it into a MS Dynamcis (DataVerse) system. That function works just fine.
Now, I would like to build a very simple GUI tool on Windows, to allow some computer novices to pick the CSV file they want to have processed, and upload it to Azure Blob Storage. It’s a small Winforms desktop app for now.
My challenge is: how to authenticate against Azure AD to be able to upload the file into Azure Blob storage?
I did try to use a client id (Azure app registration), a tenant id, and a client secret – and that works quite nicely.
BUT: how do I securely handle these bits of information, on a desktop computer?
- I could put the client id, client secret and tenant id into environment variables – but that would not be very safe, really
- I could put the client id, client secret and tenant id into an on-disk config file, like
appsettings.json– but that again would not be very safe
As a solution, I thought of putting these bits into Azure Keyvault, and get them from there, to use in my desktop app – yeah, sure – but how can I authorize against Azure Keyvault, then, to get these bits?
I have found a lot of code samples that tell me to use DefaultAzureCredentials to log in to Azure – which seems like a really good idea – with the caveat that it doesn’t work in my environment (and I have no idea, why not).
My PC is joined to the company’s network, and my user that I have to log in to Windows can access Azure (e.g. the portal and such) – but somehow, when I do this:
var azureDefaultCrendentials = new DefaultAzureCredential();
string uri = "https://*somevaluehere*.vault.azure.net";
SecretClient keyvaultClient = new SecretClient(new Uri(uri), azureDefaultCrendentials);
var clientId = keyvaultClient.GetSecret("ClientId");
The call keyvaultClient.GetSecret(...) fails with an error:
Azure.RequestFailedException
Caller is not authorized to perform action on resource.
which seems to indicate to me that the DefaultAzureCredential isn’t really picking up my logged in Windows / Active Directory user…
I then also found another snippet of code, which I also tried:
string[] scopes = new string[] { "user.read" };
var app = PublicClientApplicationBuilder.Create(myClientId)
.WithDefaultRedirectUri()
.Build();
var accounts = app.GetAccountsAsync().Result.ToList();
if (accounts != null && accounts.Any())
{
string accountNames = string.Join("; ", accounts.Select(a => a.Environment + ": " + a.Username));
lblUploaded.Text= accountNames;
}
AuthenticationResult result;
try
{
result = app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
.ExecuteAsync()
.Result;
}
catch (MsalUiRequiredException)
{
result = app.AcquireTokenInteractive(scopes).ExecuteAsync().Result;
}
But here, I get no results from the app.GetAccountsAsync() call, and the app.AcquireTokenSilent call fails with
System.AggregateException
One or more errors occurred. (No account or login hint was passed to the AcquireTokenSilent call. )
I wish I could pass an account – but I’m not getting any back ….
With all the flood of documentation and samples for Azure, it’s kinda hard to figure out which one is still valid and the way to go, and which others might be deprecated and just cluttering the interwebs….
Any ideas? Takers? Things I can try to do? I’d really love to get this Windows Forms app up and running….