private async Task RegisterUserCredential(HttpRequest request) { if (!request.Headers.ContainsKey("X-MS-TOKEN-AAD-ID-TOKEN")) { return; } var idToken = request.Headers["X-MS-TOKEN-AAD-ID-TOKEN"].FirstOrDefault(); var client = new HttpClient(); var expando = new System.Dynamic.ExpandoObject(); var dict = new Microsoft.AspNetCore.Routing.RouteValueDictionary(new { grant_type = "urn:ietf:params:oauth:grant-type:jwt-bearer", client_id = Environment.GetEnvironmentVariable("CLIENT_ID", EnvironmentVariableTarget.Process), client_secret = Environment.GetEnvironmentVariable("CLIENT_SECRET", EnvironmentVariableTarget.Process), assertion = request.Headers["X-MS-TOKEN-AAD-ID-TOKEN"].FirstOrDefault(), resource = "https://management.core.windows.net", requested_token_use = "on_behalf_of" }); var result = await client.PostAsync("https://login.microsoftonline.com/" + Environment.GetEnvironmentVariable("TENANT_ID", EnvironmentVariableTarget.Process) + "/oauth2/token", new FormUrlEncodedContent(dict.ToDictionary(k => k.Key, v => v.Value as string).ToList())); var resultObj = JsonConvert.DeserializeObject <TokenExchangeResponse>( await result.Content.ReadAsStringAsync()); CredentialProvider.Register( MultiCredentialProvider.CredentialType.UserCredential, resultObj.AccessToken, resultObj.ExpiresOnDateTime); }
protected async Task <RekeyingAttemptLogger> ExecuteRekeyingWorkflow(RekeyingTask task, RekeyingAttemptLogger log = null) { if (log == null) { log = new RekeyingAttemptLogger(); } MultiCredentialProvider.CredentialType credentialType; if (task.ConfirmationType == TaskConfirmationStrategies.AdminCachesSignOff) { if (task.PersistedCredentialId == default) { log.LogError("Cached sign-off is preferred but no credentials were persisted!"); throw new Exception("Cached sign-off is preferred but no credentials were persisted!"); } var token = await SecureStorageProvider.Retrieve <Azure.Core.AccessToken>(task.PersistedCredentialId); CredentialProvider.Register( MultiCredentialProvider.CredentialType.CachedCredential, token.Token, token.ExpiresOn); credentialType = MultiCredentialProvider.CredentialType.CachedCredential; } else if (task.ConfirmationType == TaskConfirmationStrategies.AdminSignsOffJustInTime) { credentialType = MultiCredentialProvider.CredentialType.UserCredential; } else { credentialType = MultiCredentialProvider.CredentialType.AgentServicePrincipal; } log.LogInformation("Using credential type {0} to access resources", credentialType); var secret = await ManagedSecrets.GetAsync(task.ManagedSecretId); log.LogInformation("Beginning rekeying for ManagedSecret '{0}' (ID {1})", secret.Name, secret.ObjectId); var resources = await Resources.GetAsync(r => secret.ResourceIds.Contains(r.ObjectId)); var workflow = new ProviderActionWorkflow(log, resources.Select(r => GetProvider(log, r.ProviderType, r.ProviderConfiguration, credentialType))); try { await workflow.InvokeAsync(secret.ValidPeriod); secret.LastChanged = DateTimeOffset.UtcNow; await ManagedSecrets.UpdateAsync(secret); log.LogInformation("Completed rekeying workflow for ManagedSecret '{0}' (ID {1})", secret.Name, secret.ObjectId); if (credentialType == MultiCredentialProvider.CredentialType.CachedCredential) { log.LogInformation("Destroying persisted credential"); await SecureStorageProvider.Destroy(task.PersistedCredentialId); } log.LogInformation("Rekeying task completed"); } catch (Exception ex) { log.LogCritical(ex, "Error running rekeying task!"); log.LogCritical(ex.Message); log.LogCritical(ex.StackTrace); log.OuterException = JsonConvert.SerializeObject(ex, Formatting.Indented); } return(log); }