Connect Blazor WASM app to Azure Key Vault

Question

I am asking for your help because i have some trouble with the connection of my app to Azure key vault (title of the subject).

The architecture of my project looks like this : (I can't upload images yet)

Web.Client

• Properties
• wwwroot
• Shared
• ...
• Program.cs

Web.Server

• Properties
• Controllers
• Pages
• appsettings.json
• Startup.cs
• Program.cs

So far, I managed to connect to my AAD using appsettings.json files to configure the ids etc. and I've add Msal authentication in the Program.cs file in Web.Client part of the project.

To connect to my key vault, I've done this in my Startup.cs (I'm following this tutorial https://docs.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app) :

 SecretClientOptions options = new SecretClientOptions()
 {
      Retry =
      {
          Delay= TimeSpan.FromSeconds(2),
          MaxDelay = TimeSpan.FromSeconds(16),
          MaxRetries = 5,
          Mode = RetryMode.Exponential
      }
 };

 var client = new SecretClient(new Uri("https://<kv-name>.vault.azure.net/"), new DefaultAzureCredential());

 KeyVaultSecret secret = client.GetSecret("test-secret");

 string secretValue = secret.Value;

But I'm getting the following error :

Azure.RequestFailedException : 'AKV10032: Invalid issuer. Expected one of https://sts.windows.net/<...>/, https://sts.windows.net/<...>/, https://sts.windows.net/<...>/, found https://sts.windows.net/<...>/.
Status: 401 (Unauthorized)
ErrorCode: Unauthorized

Answer 1

You can refer my code, maybe it would help you somewhere

using Microsoft.Azure.KeyVault;
using Microsoft.IdentityModel.Clients.ActiveDirectory;

public static class KeyVaultHelper
{
    private static string CLIENT_ID = "AppClientID";
    private static string BASE_URI = "KeyVaultBaseURL";
    private static string CLIENT_SECRECT = "ClientSecrect";

    

    public static async Task FetchKey()
    {
        try
        {
            var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync), new HttpClient());
            var Key = await GetSecretAsync(client, "Test-secrect");
        }
        catch (Exception e)
        {
            throw;
        }
    }

    public static async Task<byte[]> GetSecretAsync(KeyVaultClient client, string key)
    {
        var secret = await client.GetSecretAsync(BASE_URI, key);
        return Convert.FromBase64String(secret.Value);
    }

    private static async Task<string> GetAccessTokenAsync(string authority, string resource, string scope)
    {
        var appCredentials = new ClientCredential(CLIENT_ID, CLIENT_SECRECT);
        var context = new AuthenticationContext(authority, TokenCache.DefaultShared);

        var result = await context.AcquireTokenAsync(resource, appCredentials);

        return result.AccessToken;
    }

}

Note - Change your ClientID, Base_URI and Client_Secrect

• Update - Please note that the call to KeyVault does not work on WASM due to CORS issue.