C#•2y ago

✅ ASP.NET Core Environment Variables: missing Parameter "clientSecret" for EntraId

I want to authenticate Users with EntraId & call Downstream-APIs

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApi(azureAdConfig)
                .EnableTokenAcquisitionToCallDownstreamApi()
                .AddInMemoryTokenCaches();

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApi(azureAdConfig)
                .EnableTokenAcquisitionToCallDownstreamApi()
                .AddInMemoryTokenCaches();

However, I struggle to get my Environment Variables & Secrets working

Because this is running in a Container I use Environment Variables.
This works fine:

string instance = Environment.GetEnvironmentVariable("ENTRA_INSTANCE") ?? throw new Exception("Missing Environment Variable ENTRA_INSTANCE");
string clientId = Environment.GetEnvironmentVariable("ENTRA_CLIENT_ID") ?? throw new Exception("Missing Environment Variable ENTRA_CLIENT_ID");
string tenantId = Environment.GetEnvironmentVariable("ENTRA_TENANT_ID") ?? throw new Exception("Missing Environment Variable ENTRA_TENANT_ID");
string entraScope = Environment.GetEnvironmentVariable("ENTRA_SCOPES") ?? throw new Exception("Missing Environment Variable ENTRA_SCOPES");

string instance = Environment.GetEnvironmentVariable("ENTRA_INSTANCE") ?? throw new Exception("Missing Environment Variable ENTRA_INSTANCE");
string clientId = Environment.GetEnvironmentVariable("ENTRA_CLIENT_ID") ?? throw new Exception("Missing Environment Variable ENTRA_CLIENT_ID");
string tenantId = Environment.GetEnvironmentVariable("ENTRA_TENANT_ID") ?? throw new Exception("Missing Environment Variable ENTRA_TENANT_ID");
string entraScope = Environment.GetEnvironmentVariable("ENTRA_SCOPES") ?? throw new Exception("Missing Environment Variable ENTRA_SCOPES");

The Compose Secret is in the correct Path in the Container and i add it to config with:

builder.Configuration.AddKeyPerFile(directoryPath: "/run/secrets", optional: false);

builder.Configuration.AddKeyPerFile(directoryPath: "/run/secrets", optional: false);

But i have no idea how to get Auth to work. I have a workaround for the Config that works:

var azureAdConfig = new ConfigurationBuilder()
    .AddInMemoryCollection(new Dictionary<string, string>
    {
        {"AzureAd:Instance", instance},
        {"AzureAd:TenantId", tenantId},
        {"AzureAd:ClientId", clientId},
        {"AzureAd:Scopes", entraScope}  
    })
    .Build();
...
.AddMicrosoftIdentityWebApi(azureAdConfig)

var azureAdConfig = new ConfigurationBuilder()
    .AddInMemoryCollection(new Dictionary<string, string>
    {
        {"AzureAd:Instance", instance},
        {"AzureAd:TenantId", tenantId},
        {"AzureAd:ClientId", clientId},
        {"AzureAd:Scopes", entraScope}  
    })
    .Build();
...
.AddMicrosoftIdentityWebApi(azureAdConfig)

The secret however is not recognized. This error occurs on Request:

System.ArgumentNullException: Value cannot be null. (Parameter 'clientSecret')

System.ArgumentNullException: Value cannot be null. (Parameter 'clientSecret')

GopherOP•7/23/24, 11:28 AM

IDK how to configure this in general. This also fails with the same exception

GopherOP•7/23/24, 11:44 AM

Sry for the Typo in the title

TeBeCo•7/23/24, 12:21 PM

dunno if that can helps you but I have that:

TeBeCo•7/23/24, 12:21 PM

i havent used (because i don't call backend with entra)

TeBeCo•7/23/24, 12:22 PM

TeBeCo•7/23/24, 12:23 PM

in your case it would cascade down the same way with the next clientid/secret i guess

GopherOP•7/23/24, 12:23 PM

I have a shared secret that allows my API to call Azure Resource Manager.
But there is no way to set it. other than appsettings.json
Im using environment variables though

TeBeCo•7/23/24, 12:23 PM

it's unrealted/the same

TeBeCo•7/23/24, 12:24 PM

as you can see i'm reading from

TeBeCo•7/23/24, 12:24 PM

is an abstraction on top of both EnvVar and appsettings and user-secrets and console args etc .....

TeBeCo•7/23/24, 12:24 PM

as per docs of AspNetCore, section named 'Configuration' in the fundamentals

TeBeCo•7/23/24, 12:25 PM

TeBeCo•7/23/24, 12:25 PM

GopherOP•7/23/24, 12:25 PM

i got that. But it doesn't accept my ClientSecret

GopherOP•7/23/24, 12:25 PM

i explicitly set it there

TeBeCo•7/23/24, 12:25 PM

something is resetting it

TeBeCo•7/23/24, 12:25 PM

we cannot tell

TeBeCo•7/23/24, 12:26 PM

we don't have your code

TeBeCo•7/23/24, 12:26 PM

or your infra

GopherOP•7/23/24, 12:31 PM

ok
ill create a new project
& add nothing but this part
then ill attempt to create a authenticated client

GopherOP•7/23/24, 2:04 PM

The Problem was elsewhere.
The Client Secret was set correctly. The Config was just fine.
The errer occured, when my OBO flow tried to obtain the token for the ArmClient.
I had to refactor my ArmClientBuilder to use the correct Configuration.