public AzureKeyVaultService(AzureKeyVaultConfiguration azureKeyVaultConfiguration)
{
if (azureKeyVaultConfiguration == null)
{
throw new ArgumentException("missing azureKeyVaultConfiguration");
}
if (string.IsNullOrEmpty(azureKeyVaultConfiguration.AzureKeyVaultEndpoint))
{
throw new ArgumentException("missing keyVaultEndpoint");
}
_azureKeyVaultConfiguration = azureKeyVaultConfiguration;
}
public static async Task <(X509Certificate2 ActiveCertificate, X509Certificate2 SecondaryCertificate)> GetCertificates(AzureKeyVaultConfiguration certificateConfiguration)
{
(X509Certificate2 ActiveCertificate, X509Certificate2 SecondaryCertificate)certs = (null, null);
if (!string.IsNullOrEmpty(certificateConfiguration.AzureKeyVaultEndpoint))
{
var keyVaultCertificateService = new AzureKeyVaultService(certificateConfiguration);
certs = await keyVaultCertificateService.GetCertificatesFromKeyVault().ConfigureAwait(false);
}
return(certs);
}
public static void AddDataProtection <TDbContext>(this IServiceCollection services, DataProtectionConfiguration dataProtectionConfiguration, AzureKeyVaultConfiguration azureKeyVaultConfiguration)
where TDbContext : DbContext, IDataProtectionKeyContext
{
var dataProtectionBuilder = services.AddDataProtection()
.SetApplicationName("Skoruba.IdentityServer4")
.PersistKeysToDbContext <TDbContext>();
if (dataProtectionConfiguration.ProtectKeysWithAzureKeyVault)
{
if (azureKeyVaultConfiguration.UseClientCredentials)
{
dataProtectionBuilder.ProtectKeysWithAzureKeyVault(
new Uri(azureKeyVaultConfiguration.DataProtectionKeyIdentifier),
new ClientSecretCredential(azureKeyVaultConfiguration.TenantId,
azureKeyVaultConfiguration.ClientId, azureKeyVaultConfiguration.ClientSecret));
}
else
{
dataProtectionBuilder.ProtectKeysWithAzureKeyVault(new Uri(azureKeyVaultConfiguration.DataProtectionKeyIdentifier), new DefaultAzureCredential());
}
}
}
public static void AddDataProtection <TDbContext>(this IServiceCollection services, DataProtectionConfiguration dataProtectionConfiguration, AzureKeyVaultConfiguration azureKeyVaultConfiguration)
where TDbContext : DbContext, IDataProtectionKeyContext
{
var dataProtectionBuilder = services.AddDataProtection()
.SetApplicationName("Skoruba.IdentityServer4")
.PersistKeysToDbContext <TDbContext>();
if (dataProtectionConfiguration.ProtectKeysWithAzureKeyVault)
{
if (azureKeyVaultConfiguration.UseClientCredentials)
{
dataProtectionBuilder.ProtectKeysWithAzureKeyVault(azureKeyVaultConfiguration.DataProtectionKeyIdentifier, azureKeyVaultConfiguration.ClientId, azureKeyVaultConfiguration.ClientSecret);
}
else
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
dataProtectionBuilder.ProtectKeysWithAzureKeyVault(keyVaultClient, azureKeyVaultConfiguration.DataProtectionKeyIdentifier);
}
}
}
