First, very informative article. Thank you for taking the time to write this and provide the information here.
I am learning ASP.NET Core from the outset here, and it's unclear in regards to the Secret Manager if this should be used in development or in deployment/production as well. The referenced article clearly says this, but the wording used here makes it sound as if this can be used outside of this. To me, at least. Is this the case? Or is it assumed that the Key Vault should be used instead? In either case, getting clarification on this would be very helpful.
Thank you for any consideration!
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: d1612f19-f267-493a-c230-2ca18e4eb50b
- Version Independent ID: d312db0f-6cf1-87ca-09b0-604a66e18a07
- Content: Facebook, Google, and external provider authentication in ASP.NET Core
- Content Source: aspnetcore/security/authentication/social/index.md
- Product: aspnet-core
- GitHub Login: @Rick-Anderson
- Microsoft Alias: riande
Mike-E-angelo
All 5 comments
@Mike-EEE The Secret Manager tool should ONLY be used in development. Azure Key Vault is the recommended solution for a production environment. I'll update this doc to make it clearer. Thank you for pointing this out.
scottaddie
on 2 Jul 2018
Cool @scottaddie thank you for the information and the effort!
Mike-E-angelo
on 2 Jul 2018
This has come up several times in relation to the Secret Manager topic. For example recently: https://github.com/aspnet/Docs/issues/7394
When I read these, I can't tell if devs are asking about "secret" secrets (encrypted) or just "sensitive data" secrets for staging/production servers. If the server environment is secure, our other recommendation has been env vars, settings files, and command-line args.
Curious in your case @Mike-EEE, do you need encryption of the data, or do you just have sensitive data that you could leave on the server because your server environment is access restricted?
guardrex
on 2 Jul 2018
Ah good question @guardrex. In this case, I am using this tidbit from the article/section that I was reading/referenced when I submitted this issue:
These values are effectively the user name and password your application uses to access their API
So it would seem to be sensitive/encrypted? That's my guess/take on it, at least. 😄 I am certainly open to further recommendations, however.
Mike-E-angelo
on 2 Jul 2018
Thanks ... just curious. I'm not a security expert, so I can't comment beyond what we officially document.
guardrex
on 2 Jul 2018
Related issues
cocowalla
·
3Comments
YeyoCoder
·
3Comments
aaron-bozit
·
3Comments
royshouvik
·
3Comments
danroth27
·
3Comments
Most helpful comment
@Mike-EEE The Secret Manager tool should ONLY be used in development. Azure Key Vault is the recommended solution for a production environment. I'll update this doc to make it clearer. Thank you for pointing this out.