so last night I updated an AAD client secret and it's value in the keyvault.
Now all the logic apps that were up and still running steps prior to the secret update appear to be holding the value of the old App secret and are returning: "BadRequest. Http request failed as there is an error getting AD OAuth token: 'AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID" in the steps where its trying to access the application that has the new secret.
To mitigate this I killed all the logic app runs and recreated new runs with the currently updated secret which are now working fine, but I was wondering if Microsoft had any sort of automated functionality one could build in to get the latest secret from the keyvault for instances like this where you change the value and you have running logic apps that are still using the old key vault values?
Or if there was any potential way I could configure the logic app to try to get the latest key vault value if it sees the bad request?
Update 12/12/2022:
Here's a shot of the logic app in question: Logic app
If you are trying to read the value inside the logic apps, to achieve your requirement you can use action from Key vault Connector called Get secret before HTTP action of yours. Below is the flow of my Logic app.
RESULTS:
Before Updating the Value
After Updating the Value
If you are using key vault secrets value for Api connection, then the best way to achieve your requirement is to redeploy the logic app with updated values, As suggested by #Mocas.
Related
Currently, I'm trying to access Graph API from within a (Standard) Logic App to search for Sharepoint documents. To do so, I try using the following flow (I need delegated permissions, application permissions cannot use search endpoint):
https://techcommunity.microsoft.com/t5/integrations-on-azure-blog/calling-graph-api-from-azure-logic-apps-using-delegated/ba-p/1997666
As one can see in the blog post above, there is a step where the following string gets passed into the body of the first request to get an access token for a delegated user:
grant_type=password&resource=https://graph.microsoft.com&client_id=client_id&username=serviceaccountusername&password=serviceaccountpassword&client_secret=clientsecret
Now the client secret and service account password are two things which I absolutely don't want to have visible in the Logic App code and/or designer screen. Is there a way to securely read these from for instance the 'app settings' (in which I could reference them from a KeyVault)? I really can't find a good way on how to achieve this and I think it's a must to not be able to read these secrets/passwords from the Designer/code view.
Definitely use a KeyVault and make sure that for all steps involved, secure the inputs/outputs where ever that secret information may be visible.
The below example is the call to get the secret and therefore, I only want the outputs to be secured.
Result
With your HTTP call, it's likely that you'll only want the inputs to be secured.
Be sure to use a managed identity on your LogicApp and then assign that managed identity to the KeyVault Secrets User role on the KV itself.
There's plenty of documentation on this topic ...
https://learn.microsoft.com/en-us/azure/logic-apps/create-managed-service-identity?tabs=consumption
just a bit confused as i found both solutions after a day of research.
some suggest to use "pip install dj-stripe" and add keys and other options in "settings.py". Then the script in frontend to get redirect button
and some suggest the use of "npm install --save #stripe/react-stripe-js #stripe/stripe-js", and add keys in "app.js" or a designated js file.
i would like to know if it differs (security ,efficiency,.. wise), or is there a concrete way of doing it (best practice way) and how,
thank you.
Both, depending on which key your referring to.
Publishable API keys are meant solely to identify your account with
Stripe, they aren’t secret. In other words, you can safely publish
them in places like your Stripe.js JavaScript code, or in an Android
or iPhone app.
Secret You must keep your secret API keys confidential
and only store them on your own servers. You must not share your
secret API key with any third parties. Your account’s secret API key
can perform any API request to Stripe without restriction. If Stripe
believes that your secret API key has been compromised, we may cancel
and reissue it, potentially resulting in an interruption to your
Stripe services.
I've a scenario for a Third Party Client App (Mobile App - With Client Secret) to connect to the Identity Server for getting access to a Resource Server. During the user login the Client App display multiple store location for the user to sign in.
The Client App is designed to have a unique secret for each store location and one Client_ID.
When a store is selected by the end user for login - the ID Server gets a request from the client app with the Client_ID and the specific secret matching to the store location.
The Question I've over here is, how to make the Identity Server (3 or 4) to perform the User Login based on the Store Location.
I'm thinking of intercepting the Client_Secret to use it during the User Login to map to the correct store id by having a lookup table in place.
Is this a good approach to get this scenario worked out, or can someone shed some light with any possible suggestions to make this scenario work with the Identity Server.
The Expected flow:
Client App Displays the Store Location's in the Login Screen
User Selects the specific store location
User is directed to the Identity Server Authorization Endpoint and Client Validation is taken place.
Authorization Server Displays - User Login Screen
The Authorization Server authenticates the end User based on the store location. (Need to figure out a way to achieve this)
If you intend the login flow to be completed within mobile app itself and not within browser client, then you will need to use resource owner credentials grant type, in which case, it doesn't really matter if you have one or many secrets per store as it authenticates a single client based on your scenario.
On the other hand, if you intend the login flow to be completed within browser client, then it also doesn't matter if you have many secrets or one because in that case I assume the store selection would be done within the login screen like you mentioned which would part of the auth server.
All in all, nowhere in your flow the store location seem to matter unless there is some kind linkage between user credentials and store id. If that is the case, then this is essentially a multitenancy question for Identity Server 4 for which there are discussions already open with suggestions.
https://github.com/IdentityServer/IdentityServer4/issues/2673
How should you secure a multi-tenant API with Identity Server?
I have the following code in my angular app declaration - an API key for Facebook (to implement Share button):
.run(function($FB){
$FB.init('9xxxxxxxxxxxx94');
})
So i know the general answer to this - 'API keys should be kept on the server side', however I don't see how i actually implement this.
The share call-method is made on the front end, so even if my server kept the API key and sent it, surely it's still visible on the front end, else how would the share button work?
So my question, how do I hide that Facebook API Key?
Thanks.
Requesting the key
The first thing that happens is that the client will request a key. This will only happen on certain pages like the sign up and log in pages. The idea here is that we want to make sure that only users browsing with a known client (in this case the official website or core client as it’s called) are allowed to take actions like creating or authenticating a user.
So when the client app requests the login page the server generates a unique token based on information sent in the request. The information used is always something the server knows, something the client knows, and something both know. So for example the server can generate a unique key based on User agent + current time + secret key. The server generates a hash based on this information and then stores a cookie containing only the hash on the client machine.
Setting permissions
At this point our key really isn’t a key anymore. It has been transformed into an access token. The server should then take this access token and store it for later retrieval. You can put the key in a database but since data of this type needs to be retrieved often I would suggest using a key-value store like Redis to cut down on database reads/writes and boost performance.
When you store the token you should also store a separate piece of data to indicate what permissions are associated with the token. In this case our token is acting only as a way to register and authenticate users so we store it next to a value that indicates who the token belongs to (the app’s web UI) and what permissions it has (limited to create and authenticate users). We treat it just like we would any other API client that way we can capture stats and control how it is used.
Authorizing a request
When the client then makes the POST request to create a new user or log in the server will check to see if the client sent an identifying cookie along with the request. If not, we reject the request. If it does send the cookie, the server should once again generate the hash using the values used previously (these values are either already known or sent with the request anyway so we’re not really taxing the server much) compare it to the cookie being sent to us, and if the values match allow the request to proceed.
Sources - Securing API Keys
OR
Simply send a request to your Server and let him handle your request with the hidden API-key and just return the result of your request to your front-end.
I'm looking at using the Angular Azure Mobile Service Client for a project, I saw this sample code:
angular.module('your-module-name').constant('AzureMobileServiceClient', {
API_URL : 'https://<your-api-url>.azure-mobile.net/',
API_KEY : '<your-api-key>',
});
Is it safe to use the API Key in an AngularJS app like this (or any JavaScript based client)? I'm unsure what someone could potentially do if they had this key?
Found this in the Azure Mobile Services documentation:
With default permissions, anyone with the app key may call the custom
API. However, the application key is not considered a secure
credential because it may not be distributed or stored securely.
Consider restricting access to only authenticated users for additional
security.
It is'Safe' depending on what you are trying to do. Javascript and any keys in it can be read by everyone. This is key is not meant to be used as a password to access important information. Instead it is made to prevent malevolent abuse of your application.
For example if someone is trying to log in 1,000 times per second with every possible password/username combination, they are submitting this key with each request. So you could throttle, or block anyone using this key. Then you would issue a new key to your apps. If you have a system for issuing those keys you might even identify the person that was doing it.
It can stop DDOS, Bruteforce, and some other abuses