Sp-dev-docs: [Documentation] Update "Grant access using Azure AD app-only" page to use latest Azure .Net SDK

Created on 25 Nov 2020 · 8Comments · Source: SharePoint/sp-dev-docs

Question

The code sample mentioned here is using deprecated Microsoft.Azure.KeyVault library, instead of new Azure .Net SDK Azure.Security.KeyVault.Secrets library.

Updated code sample example

Below an example of code snippet that could be used in the documentation as an update.

internal static X509Certificate2 GetKeyVaultCertificate(string keyvaultName, string name)
{
        // Some steps need to be taken to make this work
        // 1. Create a KeyVault and upload the certificate
        // 2. Give the Function App the permission to GET secrets via Access Policies in the KeyVault
        // 3. Call an explicit access token request to the management resource to https://vault.azure.net and use the URL of our Keyvault in the GetSecretMethod
        // More info about the certificates management in Azure KeyVault here : https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates
        if (secretClient == null)
        {
            // this methods get the execution context based on managed identity (azure function or web application), in order to get a token
            // and thus makes the call on behalf of that managed identity
            // more info here : https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/identity/Azure.Identity
            var azureCredential = new DefaultAzureCredential();
            secretClient = new SecretClient(new Uri("https://" + keyvaultName + ".vault.azure.net/"), azureCredential);
        }

        // Getting the certificate
        KeyVaultSecret secret = secretClient.GetSecret(name);

        // Returning the certificate
        return new X509Certificate2(Convert.FromBase64String(secret.Value));
}

Good First Issue 🏆 auth docs docs-comment other help wanted

Source

michaelmaillot

All 8 comments

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

msftbot[bot] on 25 Nov 2020

Care to submit a PR to the doc fr review?

andrewconnell on 25 Nov 2020

👍1

Sure! I'll submit a PR and will reference it here.

michaelmaillot on 25 Nov 2020

@michaelmaillot You don't have to reference it here... when you submit the PR, there's a section in the new PR template that asks if it's in reference to an issue. Just make sure you use the GH autolinking feature... it will auto-associate it and auto close the issue when we merge it. For instance, check out this recently merged PR #6495 and the issue it links to to see how it worked.

andrewconnell on 25 Nov 2020

👍1

During the writing of the article and the code sample, I realize that using a Function App as a demo is not good because of compatibility problems when wanted to use PnP-Sites-Core, SharePoint CSOM and Azure Identity in a v1.x runtime version (for example, regarding the Newtonsoft.Json versions), if we want to keep the GetAzureADAppOnlyAuthenticatedContext method.

So I wonder if I could replace the Azure Function example by an Azure API one?

michaelmaillot on 27 Nov 2020

@VesaJuvonen do you have an opinion on this? Seems like a big change to an existing doc, esp to ditch AzFunc => AzAPI when changes are coming. I just don't have enough hands-on with CSOM (PNP / SP) to offer input here.

andrewconnell on 30 Nov 2020

The fact is that the actual sample code looks more like a Console App instead of an Function App (void Main(string[] args)). And actually, I couldn't make that documentation example work in v1.x runtime (known issue here). On the other hand, we could keep the AzFunc as an example (in .Net Core instead of .Net Framework), using MSAL .Net for authentication instead of AuthenticationManager().GetAzureADAppOnlyAuthenticatedContext() or through PnP.Framework (but for now it's in preview).

michaelmaillot on 1 Dec 2020

Bumping that article update suggestion 😉

As the PnP Framework is officially available in v1.0.0, I suggest to correct the existing sample (which looks like a Console App) to look like a Function App working in .NET Core.

Globally, I could update the whole page to use the PnP Framework library instead of PnP Sites Core and new PnP PowerShell instead of old one (references here, here and here).

What do you think ?

michaelmaillot on 21 Jan 2021

Was this page helpful?

0 / 5 - 0 ratings