0

We are using the email invite flow to get our users created in our Azure B2C. Currently we are reviewing our management of secrets in code and config, coming out of this work we are now using an Azure KeyVault.

Our ASP.Net website that previously had the cert loaded directly into the App Service is now referencing one in the key vault.

At the Azure B2C "Identity Experience Framework" end of the arrangement we have the “B2C_1A_IdTokenHintCert” policy key and that was created when we uploaded the certificate into Azure B2C. This breaks the approach of centralising the management of our certificates with KeyVault.

Is there a way of using KeyVault for the Custom Policy configuration?

Pat Long - Munkii Yebee
  • 3,592
  • 2
  • 34
  • 68

1 Answers1

0

In your particular scenario, you can expose your own metadata endpoint for id token hint validation in your App. That is what the sample does by default: https://github.com/azure-ad-b2c/id-token-builder

You might then look for a way to reference the cert via key vault instead of uploading the cert to the app service. Eg reading the cert in your app via keyvault api.

https://learn.microsoft.com/en-us/rest/api/keyvault/#certificate-operations

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • We already have the App Service referencing a KV for the certificate. Are you saying that with our own metadata endpoint we completely remove any need for the Azure B2C instance to reference the certificate? – Pat Long - Munkii Yebee Sep 22 '20 at 11:30
  • Well for id token hint technical profile, you don’t need to reference a cryptographic key, you reference a metadata endpoint. B2C policy keys can be manipulated to produce that metadata document, or you can just host it yourself. The latter would mean you put the cert in KV instead and use your app to build the metadata document. For other technical profiles that use a cryptographic key element, those keys must be stored in B2C policy keys. – Jas Suri - MSFT Sep 22 '20 at 11:47
  • Does that mean if we are only offering "Sign Up as Invite" and "Sign in via App" we can get rid of these two custom policies B2C_1A_TokenSigningKeyContainer and B2C_1A_TokenEncryptionKeyContainer? – Pat Long - Munkii Yebee Sep 22 '20 at 12:08
  • 1
    Definitely not. Those keys are generated and held inside B2C, referenced by the policy to sign tokens and encrypt refresh tokens. As I said, the only one my comment applies to is for the id token hint technical profile. – Jas Suri - MSFT Sep 23 '20 at 19:52