在生产中使用 InteractiveBrowserCredential 对 Azure Key Vault 进行身份验证将不起作用

Question

I want to read a secret from Azure Key Vault from my ASP.NET web application. In order to do that I don't want to authenticate the application (service principal), but the individual users (user principal). From all the possible credential types, I've concluded the best one to achieve this is InteractiveBrowserCredential:

DefaultAzureCredential ManagedIdentityCredential
EnvironmentCredential
ClientSecretCredential
CertificateCredential
UserPasswordCredential
DeviceCodeCredential
InteractiveBrowserCredential

Here's my code:

var client = new SecretClient(new Uri(keyVaultUrl), new InteractiveBrowserCredential();
KeyVaultSecret secret = client.GetSecret(secretName);
string password = secret.Value;

This works well on localhost - I get prompted for my Azure AD user and password, and I have access to the vault. However, I notice this is not my default browser but a IIS Express worker process instead.

1

When running this same code on production, I get the following error:

Azure.Identity.AuthenticationFailedException: InteractiveBrowserCredential authentication failed: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application. ---> System.InvalidOperationException

Afaik it should be opening a browser, not a modal dialog. Can someone help my understand what's going on here?

Answer 1

According to the error, your hosting environment does not support UserInteractive model and it cannot open a modal dialog box or form automatically. But when we use the InteractiveBrowserCredential to do auth, the running environment should be able to open a modal dialog box or form automatically then we can do auth. For more details, please refer to here .