Giters

Azure-Samples / guidance-identity-management-for-multitenant-apps

How to manage user identities in a multitenant app on Microsoft Azure, using Azure Active Directory for authentication.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

DPAPI - Will it work across .net core and .net 4.x

nigel-dewar opened this issue · comments

commented

Hi There,

First as always, please let me say this sample is fantastic, and again, thank you for all the work on it.

I have a query re: DPAPI. In this sample you use DPAPI with Azure key vault (this is my understanding) to protect tokens stored in Redis Cache.

If I had an API which still uses asp.net 4.x, what would be the best way to access these tokens for use? The asp.net 4.x needs to make outbound calls to office 365 endpoints, hence need for token.

I figure there are 2 flows

  1. Implement DPAPI on the asp.net 4.x API, so can access redis cache and get at the tokens, and if tokens expire then renew these from the asp.net 4.x API
  2. Have the asp.net 4.x API do a https call to the .net core app (which does all the token storage and protection), and have the .net core app return back the decrypted token for use.

I am at odds as to what to do.

I do not fully understand that mechanism of how the DPAPI works on .net core, and if it can also be used to encrypt and derypt tokens on a asp.net 4.x project, therefore allowing both the .net core application and the .net 4.x app to work seamlessly together sharing the redis cache,

Or,

Should I just have the .net Core do all the Token storage and protection and simply expose a secure API endpoint for my asp.net 4.x app to call, thereby receiving the encrypted token over the wire (albeit using https and of course using Azure network policies to restrict such a call to only be possible between the .net core and the .net 4.x app).

I think the latter is easier, given my lack of knowledge of the DPAPI, however I don't know of sending over the wire unencrypted tokens is a good idea. Something just tells me its a dumb idea. Am I correct in my assumption? Or do you think this is ok?

The other question I have (yes I have many) is, I know its possible to continue silently re-creating fresh tokens for a user (by using thier refresh token), hence avoiding their need to login every time their token expires. Is this a good idea however security wise?

Cheers, any help would be great.

Would also love to see more explanation if possible about using Azure Key Vault, specifically on the topic of using it to encrypt and decrypt blobs of data.

Cheers, really appreciate your work! Sorry if this question seems dumb. I'm still locked in place on asp.net 4.x with a specific peice of tech hence this particular type of query.

commented

Ah no worries, I figured out how to do things all good.