Azure Key Vault: sts_token_request_failed

0
votes

I want to use azure key vault in an winforms application. I managed to add the app to the Azure active directory and to create a secret in key vault with powershell. the app is authenticated to use the secret. Unfortunately I'm not able to use the secret in my winforms app. I get the exception:

*sts_token_request_failed: Token request to security token service failed. Check InnerException for more details.

InnerException: AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.*

config:

<appSettings>    
 <add key="ClientId" value="<appId>" />
 <add key="ClientSecret" value="<nameofsecret>" />   
 <add key="SecretUri" value="https://<vaultname>.vault.azure.net/secrets/<nameofsecret>" />
</appSettings>

My code is:

public static string GetSecret()
{
        var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken));
        var sec = kv.GetSecretAsync(ConfigurationManager.AppSettings["SecretUri"]).Result.Value;
        return sec; 
}

public async static Task<string> GetToken(string authority, string resource, string scope)
    {
        var authContext = new AuthenticationContext(authority,true);
        ClientCredential clientCred = new ClientCredential(ConfigurationManager.AppSettings["ClientId"],
            ConfigurationManager.AppSettings["ClientSecret"]);
        try
        {
            AuthenticationResult result = authContext.AcquireToken(resource, clientCred);

            if (result == null)
                throw new InvalidOperationException("Failed to obtain the JWT token");

            return result.AccessToken;
        }
        catch (Exception ex)
        {
            return String.Empty;
        }            
    }

Do I have to change anything in the manifest or in the app.config? What is the secretName? Is it the name of the secret created in powershell? In native client application I have no tab "configure" in the active directory to add an key. Might this be the problem?

1
c#winformsazureazure-active-directoryazure-keyvault

1 Answers

1
votes

You're confusing the client secret for your application registered in Azure AD with the secret stored in Key Vault.

In order to access the key vault, your application must first obtain an access token, which is what should happen in your GetToken method. There are multiple ways of authenticating to AAD to obtain a token, but the most common is to configure a key for your application and pass that as the client secret.

enter image description here

So the value of your ClientSecret app setting would be this key, not the name of the secret in key vault.

Once you've obtained the token, you can then use it to read the secret that's stored in the key vault.

So that's the technical answer to your question. There's a whole 'nother conversation about how to manage secrets for native apps. With the key vault approach, you still have to have a key accessible to your application for it to access key vault, so you're kind of back where you started with how do you secure that key.