Is placing the key on the page a secure practice?

[ghost]

Both methods of authenticating the Maps SDK with the Azure Maps API require placing the keys in clear text right there in the HTML page. Is this really a good idea? Is there no way to secure this?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: ea11ca51-2d51-8328-09d7-2ee9944e5751
• Version Independent ID: 2077160d-3c5f-33d1-4d14-43a758071a76
• Content: Getting started with web map control in Azure Maps
• Content Source: articles/azure-maps/how-to-use-map-control.md
• Service: azure-maps
• GitHub Login: @walsehgal
• Microsoft Alias: v-musehg

[AshokPeddakotla-MSFT]

@sujayvsarma Thanks for the feedback! We are currently investigating and will update you shortly.

[ghost]

I have since found that you can set authType to anonymous and provide a callback function that retrieves the auth token from a REST API endpoint.

However, there are no proper examples to implement this method.

I have raised this bug to track: Azure-Samples/AzureMapsCodeSamples#19

Please see if you can accelerate the same.

[rbrundritt]

Key based authentication should only be used for development. This code sample site started using keys before Azure Active Directory was available. These samples will moving to Azure AD soon. Azure AD is much more secure and the details that are visible in the browser are not enough for someone to access your account.

I'm going to close this issue as the other issue you opened is more relevant. Also note that the forums or the Azure support team is a much better place to ask these types of questions.

[rbrundritt]

Just realized that this issue was raised in the docs repo and the other issue was in the code samples repo. Someone else will have to close this issue as I don't have admin rights on this repo.

#close

[AshokPeddakotla-MSFT]

@rbrundritt Thanks for looking into this issue.
@sujayvsarma As mentioned, We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

[ghost]

@rbrundritt @AshokPeddakotla-MSFT

Azure AD method is not really viable for the following reasons. The Setup / configuration path is really convoluted. You have THREE "applications" to deal with:

• Azure Maps Application
• The Azure AD registration of the Azure Maps Application
• The App Service that you would be creating that runs the site that uses the Maps

The docs that currently provide configuration instructions for Apps on Azure AD are confusing enough, with terminology that is used interchangeably and values appearing with identical names everywhere -- not to mention the Azure UI changing its layout and labels and you folks NOT updating it in tandem!

Take a look at these pages for example:

Exhibit 1

Exhibit 2

Please have someone that has never done Azure Maps to follow those two docs and get things working on the first try. Really!

Not just that. Azure AD auth only works if your site's users are on your Azure Ad tenant, or belong to another Azure Ad tenant. Getting it to work properly with public AD (Live/Xbox/Hotmail) accounts is another disaster.

I cannot wait long enough to read the disaster you guys are going to write up!

[rbrundritt]

There is a lot of different ways in which Azure AD can be setup and integrated into an application. You can find a bunch of documentation on how to do this here. These methods are used across all Azure products. As such, rather than Azure Maps creating duplicate documentation on how to integrate Azure AD using all the different methods, it is more efficient to use the existing documentation for Azure AD.

Note, Azure AD has an anonymous mode which can be used in public facing applications which do not require users to sign in or be a part of an Azure AD tenant.

[ghost]

Like I've said repeatedly. Azure documentation on authentication sucks. Terminology needs to be improved a lot. Docs need to be in sync with what's on the portal. This anonymous mode thing - no one has even heard of it. Why isn't there more visible documentation of what it is, how to use it, how not to use it, etc?

[rbrundritt]

A critical part of the service that you create is including your secret token. We can't expose our service and make it reusable as there would not be a secure way to get your secret into it. Also, a lot of companies add a lot of custom logic to their service and often run the service in the same domain as their application.

Good feedback on the authentication documentation for Azure AD, we will pass that on to that team.

Anonymous mode has been around for a long time. I remember working with it on another platform 5 or 6 years ago. The documentation I linked to does mention it.

Waleed will add a code sample in this thread to show what we are using in our Azure function.

You can also find lots of Azure AD samples here: https://github.com/Azure-Samples?utf8=%E2%9C%93&q=Azure+Ad&type=&language=

[walsehgal]

Like Ricky mentioned this is the same code we are using in our Azure function and calling it in our samples:

public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
{
    log.LogInformation("C# HTTP trigger function processed a request.");
  
    // Replace the tenant name 
    var authenticationContext = new AuthenticationContext("https://login.microsoftonline.com/<tenant_name>", false);
    
    // Config for OAuth client credentials 
    ClientCredential clientCred = new ClientCredential("<Replace with client ID>", "<Replace with client secret>");
    AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync("https://atlas.microsoft.com/ ", clientCred);
    string token = authenticationResult.AccessToken;
    return (ActionResult)new OkObjectResult(token);        
}

[ghost]

@rbrundritt:

Anonymous mode has been around for a long time. I remember working with it on another platform 5 or 6 years ago. The documentation I linked to does mention it.

Could you provide a link to documentation/samples that show how to make use of this? Or connect me with someone who can help...

@walsehgal:

Thank you. Closing this issue. I have already closed the samples issue.