prerequisites:
NuGet packages
Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory Install-Package Microsoft.Azure.KeyVault
web.config
<!-- ClientId and ClientSecret refer to the web application registration with Azure Active Directory --> <add key="ClientId" value="clientid" /> <add key="ClientSecret" value="clientsecret" /> <!-- SecretUri is the URI for the secret in Azure Key Vault --> <add key="SecretUri" value="secreturi" /> <!-- If you aren't hosting your app as an Azure Web App, then you should use the actual ClientId, Client Secret, and Secret URI values -->
Utility code
//add these using statements using Microsoft.IdentityModel.Clients.ActiveDirectory; using System.Threading.Tasks; using System.Web.Configuration; //this is an optional property to hold the secret after it is retrieved public static string EncryptSecret { get; set; } //the method that will be provided to the KeyVaultClient public static async Task<string> GetToken(string authority, string resource, string scope) { var authContext = new AuthenticationContext(authority); ClientCredential clientCred = new ClientCredential(WebConfigurationManager.AppSettings["ClientId"], WebConfigurationManager.AppSettings["ClientSecret"]); AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred); if (result == null) throw new InvalidOperationException("Failed to obtain the JWT token"); return result.AccessToken; } // Using Client ID and Client Secret is a way to authenticate an Azure AD application. // Using it in your web application allows for a separation of duties and more control over your key management. // However, it does rely on putting the Client Secret in your configuration settings. // For some people, this can be as risky as putting the secret in your configuration settings.
Retrieve the secret on Application Start
//add these using statements using Microsoft.Azure.KeyVault; using System.Web.Configuration; // I put my GetToken method in a Utils class. Change for wherever you placed your method. var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Utils.GetToken)); var sec = await kv.GetSecretAsync(WebConfigurationManager.AppSettings["SecretUri"]); //I put a variable in a Utils class to hold the secret for general application use. Utils.EncryptSecret = sec.Value;