1

In my custom policy I have a technical profile to call SendGrid API to send emails.

<TechnicalProfile Id="SendEmail">
    <DisplayName>Use SendGrid's email API to send the code the the user</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
        <Item Key="ServiceUrl">send-grid-url</Item>
        <Item Key="AuthenticationType">Bearer</Item>
        <Item Key="SendClaimsIn">Body</Item>
        <Item Key="ClaimUsedForRequestPayload">emailRequestBody</Item>
    </Metadata>
    <CryptographicKeys>
        <Key Id="BearerAuthenticationToken" StorageReferenceId="B2C_1A_SendGridKey" />
    </CryptographicKeys>
    <InputClaimsTransformations>
        <InputClaimsTransformation ReferenceId="GenerateEmailRequestBody" />
    </InputClaimsTransformations>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="emailRequestBody" />
    </InputClaims>
</TechnicalProfile>

Originally the API key for SendGrid is uploaded in the Policy Keys in the Identity Experience Framework and named B2C_1A_SendGridKey. However we want to hold all our keys and secrets in the Key Vault instead of uploading it in the Policy Keys. Is there a way to get the key from Key Vault and use it in the custom policy?

waanderer
  • 157
  • 1
  • 1
  • 11
  • Does [this question/answer help at all](https://stackoverflow.com/questions/64006559/use-azure-keyvault-in-the-b2c-custom-policy-config)? – philnash Apr 11 '22 at 00:29
  • Hello @philnash , I checked the link that you sent. I think our scenarios are different, theirs is for token validation while ours is sending a request to an API. – waanderer Apr 11 '22 at 01:09
  • Hmm, ok. I don't think I can help, but I'll see if there are anyone else with Azure experience at Twilio that can help out here. – philnash Apr 11 '22 at 01:20

1 Answers1

1

No, unfortunately not.

B2C requires that its secrets be stored as Policy Keys, which is what you have here, and there's no way around that.

Even if you wrapped the actual SendGrid call in your own API so that you could store the SendGrid secret in KeyVault you'd still have to secure your API call and that would require some secret held in B2C Policy Keys.

Dave D
  • 8,472
  • 4
  • 33
  • 45