[英]What is the best practice for certificates used to protect an Azure App in client credential flow
Many of my (confidential) apps are talking to each other via the client credential flow.我的许多(机密)应用程序都通过客户端凭证流相互通信。
They request a token from the Azure Identity platform and use this token to authenticate against another app.他们从 Azure 身份平台请求令牌,并使用此令牌对另一个应用程序进行身份验证。
A while ago I used client secrets to do so, but later I read that this is not recommended for production environments.前段时间我使用客户端密码来这样做,但后来我读到不建议在生产环境中这样做。
For this reason I changed to self-signed certificates that are valid a longer time.为此,我更改为有效期更长的自签名证书。
Those certificates are generated by myself with Azure Keyvault.这些证书是我自己使用 Azure Keyvault 生成的。 However, also this is not recommended.
但是,也不推荐这样做。
Microsoft states that that in production environments you should use certificates that are signed by an official CA. Microsoft 指出,在生产环境中,您应该使用由官方 CA 签名的证书。
If I now use Lets encrypt, this will expire all three months what is also not such a nice solution.如果我现在使用 Lets encrypt,这将在所有三个月内过期,这也不是一个很好的解决方案。
My questions:我的问题:
Do you have any source of best practices here?您在这里有任何最佳实践来源吗?
• Client secrets include application credentials, SSH keys, API keys, database passwords, encryption keys, connection strings and so on to connect various resources and access the data or functionality for achieving the designated purpose of that application. • 客户端机密包括应用程序凭据、SSH 密钥、API 密钥、数据库密码、加密密钥、连接字符串等,用于连接各种资源并访问数据或功能以实现该应用程序的指定目的。 Thus, if these are breached, they can put your application at great risk of compromise.
因此,如果这些被破坏,它们会使您的应用程序面临很大的风险。 Also, the client secret generated in Azure AD and used in APIs for connecting to Azure AD for authentication and authorization purpose is listed and mentioned in unencrypted form in the API code itself.
此外,在 Azure AD 中生成并在 API 中用于连接到 Azure AD 以进行身份验证和授权的客户端密码在 API 代码本身中以未加密的形式列出和提及。 Though, we have an option to store that secret in a key vault and refer to that secret through either managed identity or RBAC assignments, but their credentials too can fall in wrong hands and let the application be vulnerable if the managed identity is a user assigned or even if then access scope of the secret is not well defined according to the required specific need.
虽然,我们可以选择将该秘密存储在密钥库中并通过托管身份或 RBAC 分配引用该秘密,但它们的凭据也可能落入坏人之手,如果托管身份是用户分配的,则应用程序容易受到攻击或者即使然后访问 scope 的秘密也没有根据所需的特定需要很好地定义。 Thus, client secret is not recommended to be used in a production API.
因此,不建议在生产 API 中使用客户端密码。
• In client credentials flow, applications are directly granted permissions by an administrator to perform a certain action regarding the API to be called through it via certificate or federated credentials. • 在客户端凭据流中,管理员直接授予应用程序权限,以执行有关 API 的特定操作,通过证书或联合凭据调用它。 Thus, when using a self-signed certificate in client credentials grant scenario, the administrator has granted the daemon app requesting access to other API all the required privileges regarding accessibility of code, API, permissions, data, etc. which can result in poor validation and misuse as the it is very easy to generate a certificate's key pair without reasonable entropy.
因此,当在客户端凭据授予场景中使用自签名证书时,管理员已授予请求访问其他 API 的守护程序应用程序有关代码可访问性、API、权限、数据等的所有必需特权,这可能导致验证不佳和滥用,因为很容易在没有合理熵的情况下生成证书的密钥对。 Also, protecting the private key of the key pair appropriately to its use and strong validation of the same is not promised in a self-signed certificate due to which it is not recommended in client credentials flow.
此外,在自签名证书中不承诺适当地保护密钥对的私钥以使其使用和对其进行强大的验证,因此不建议在客户端凭证流中使用。
• For best practices regarding web app service deployment, please refer to the documentation link below: - • 有关 web 应用服务部署的最佳实践,请参阅以下文档链接:-
https://learn.microsoft.com/en-us/azure/app-service/security-recommendations#general https://learn.microsoft.com/en-us/azure/app-service/security-recommendations#general
It explains the best security recommendations for deploying a web app service.它解释了部署 web 应用程序服务的最佳安全建议。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.