Created
August 18, 2020 13:43
-
-
Save jarig/ff823654b9f8519040f2fb56f221d317 to your computer and use it in GitHub Desktop.
Authenticate to keyvault using either certificate or secret
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public class CertificateHelper | |
{ | |
public static X509Certificate2 FindCertificateByThumbprint(string thumbrint) | |
{ | |
X509Certificate2 cert; | |
cert = FindCertificateByThumbprint(thumbrint, StoreName.My, StoreLocation.CurrentUser); | |
if (cert == null) | |
{ | |
cert = FindCertificateByThumbprint(thumbrint, StoreName.My, StoreLocation.LocalMachine); | |
} | |
return cert; | |
} | |
private static X509Certificate2 FindCertificateByThumbprint(string thumbrint, StoreName storeName, StoreLocation storeLocation) | |
{ | |
using (X509Store store = new X509Store(storeName, storeLocation)) | |
{ | |
store.Open(OpenFlags.ReadOnly); | |
X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindByThumbprint, | |
thumbrint, false); // Don't validate certs, since the test root isn't installed. | |
if (certs == null || certs.Count == 0) | |
return null; | |
return certs.OfType<X509Certificate2>().Single(); | |
} | |
} | |
} | |
private static IKeyVaultClient CreateKeyVaultClientWithCertificate(string clientId, string certificateThumbrint) | |
{ | |
X509Certificate2 clientCertificate = CertificateHelper.FindCertificateByThumbprint(certificateThumbrint); | |
if (clientCertificate == null) | |
{ | |
throw new Exception($"Failed to find certificate with thumbprint {certificateThumbrint}"); | |
} | |
var clientCredential = new ClientAssertionCertificate(clientId, clientCertificate); | |
return CreateKeyVaultClient(async (AuthenticationContext authenticationContext, string resource) => | |
{ return await authenticationContext.AcquireTokenAsync(resource, clientCredential); }); | |
} | |
private static IKeyVaultClient CreateKeyVaultClientWithSecret(string clientId, string clientSecret) | |
{ | |
ClientCredential clientCredential = new ClientCredential(clientId, clientSecret); | |
return CreateKeyVaultClient(async (AuthenticationContext authenticationContext, string resource) => | |
{ return await authenticationContext.AcquireTokenAsync(resource, clientCredential); }); | |
} | |
private static IKeyVaultClient CreateKeyVaultClient(TokenAcquireDelegateAsync tokenAcquireDelegateAsync) | |
{ | |
var tokenCache = new TokenCache(); | |
IKeyVaultClient keyVaultClient = new KeyVaultClient(async (authority, resource, scope) => | |
{ | |
AuthenticationContext authenticationContext = new AuthenticationContext(new Uri(authority).AbsoluteUri, false, tokenCache); | |
AuthenticationResult result = await tokenAcquireDelegateAsync(authenticationContext, resource).ConfigureAwait(false); | |
string token = result.AccessToken; | |
return token; | |
}); | |
return keyVaultClient; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment