Are the Azure Client Id, Tenant, and Key Vault URI considered secrets?

人盡茶涼 提交于 2020-01-23 07:54:08

问题


I'm getting up to speed with Azure and trying to follow best practices for securing my WPF and Xamarin.Forms apps.

I'm using Azure AD for authentication and Key Vault for my secrets.

What about my Client Id and Tenant settings? These are required to make the initial connection to Azure to log in.

The endpoint URI is also required to make a call to the Key Vault.

Are the Client Id, Tenant, Key Vault endpoint considered secrets or am I over thinking this. I understand without authenticating, no one can access or make use of these.

What about checking these into Source Control? Is this Ok?

Greatly appreciate your thoughts and insights.

Karl


回答1:


TenantId is hardly a secret. You can get the tenant metadata of any Azure AD tenant using the following Url

https://login.microsoftonline.com/{tenantID/domain}/.well-known/openid-configuration

For example https://login.microsoftonline.com/microsoft.onmicrosoft.com/.well-known/openid-configuration

ClientId also travels in http Urls and thus is not that hard to find out. That's why the focus should be to effectively protect access to the app using either token validation or user assignment.

Managed identities for Azure resources is available to help avoid checking in any credentials in source control and is specially useful with KeyVault.



来源:https://stackoverflow.com/questions/56016004/are-the-azure-client-id-tenant-and-key-vault-uri-considered-secrets

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!