-
Notifications
You must be signed in to change notification settings - Fork 21.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is placing the key on the page a secure practice? #38167
Comments
@sujayvsarma Thanks for the feedback! We are currently investigating and will update you shortly. |
I have since found that you can set However, there are no proper examples to implement this method. I have raised this bug to track: Azure-Samples/AzureMapsCodeSamples#19 Please see if you can accelerate the same. |
Key based authentication should only be used for development. This code sample site started using keys before Azure Active Directory was available. These samples will moving to Azure AD soon. Azure AD is much more secure and the details that are visible in the browser are not enough for someone to access your account. I'm going to close this issue as the other issue you opened is more relevant. Also note that the forums or the Azure support team is a much better place to ask these types of questions. |
Just realized that this issue was raised in the docs repo and the other issue was in the code samples repo. Someone else will have to close this issue as I don't have admin rights on this repo. #close |
@rbrundritt Thanks for looking into this issue. |
@rbrundritt @AshokPeddakotla-MSFT Azure AD method is not really viable for the following reasons. The Setup / configuration path is really convoluted. You have THREE "applications" to deal with:
The docs that currently provide configuration instructions for Apps on Azure AD are confusing enough, with terminology that is used interchangeably and values appearing with identical names everywhere -- not to mention the Azure UI changing its layout and labels and you folks NOT updating it in tandem! Take a look at these pages for example: Please have someone that has never done Azure Maps to follow those two docs and get things working on the first try. Really! Not just that. Azure AD auth only works if your site's users are on your Azure Ad tenant, or belong to another Azure Ad tenant. Getting it to work properly with public AD (Live/Xbox/Hotmail) accounts is another disaster. I cannot wait long enough to read the disaster you guys are going to write up! |
There is a lot of different ways in which Azure AD can be setup and integrated into an application. You can find a bunch of documentation on how to do this here. These methods are used across all Azure products. As such, rather than Azure Maps creating duplicate documentation on how to integrate Azure AD using all the different methods, it is more efficient to use the existing documentation for Azure AD. Note, Azure AD has an anonymous mode which can be used in public facing applications which do not require users to sign in or be a part of an Azure AD tenant. |
Like I've said repeatedly. Azure documentation on authentication sucks. Terminology needs to be improved a lot. Docs need to be in sync with what's on the portal.
This anonymous mode thing - no one has even heard of it. Why isn't there more visible documentation of what it is, how to use it, how not to use it, etc?
|
A critical part of the service that you create is including your secret token. We can't expose our service and make it reusable as there would not be a secure way to get your secret into it. Also, a lot of companies add a lot of custom logic to their service and often run the service in the same domain as their application. Good feedback on the authentication documentation for Azure AD, we will pass that on to that team. Anonymous mode has been around for a long time. I remember working with it on another platform 5 or 6 years ago. The documentation I linked to does mention it. Waleed will add a code sample in this thread to show what we are using in our Azure function. You can also find lots of Azure AD samples here: https://github.com/Azure-Samples?utf8=%E2%9C%93&q=Azure+Ad&type=&language= |
Like Ricky mentioned this is the same code we are using in our Azure function and calling it in our samples:
|
Could you provide a link to documentation/samples that show how to make use of this? Or connect me with someone who can help... Thank you. Closing this issue. I have already closed the samples issue. |
Both methods of authenticating the Maps SDK with the Azure Maps API require placing the keys in clear text right there in the HTML page. Is this really a good idea? Is there no way to secure this?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: