-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE REQ] Add IConfiguration
integration for TokenProvider
when using AddAzureAppConfiguration()
#43434
Comments
Thank you for your feedback. Tagging and routing to the team member best able to assist. |
Hi @julealgon. Thanks for reaching out and we regret that you're experiencing difficulties. I cannot speak for the extensions related to
It is also possible to define the credential types recommended for production environments directly from configuration, allowing for both a global credential applied to all clients and credentials scoped to a specific service client. This allows credentials to be configured without the use of environment variables. More context and discussion can be found in Create Microsoft Entra credential types using configuration files. That all said, I cannot speak for what I'm going to mark this as addressed, as I believe the feature that you're looking for needs to come from the AppConfig package. If I've misunderstood your scenario or request, please feel free to unresolve and continue the discussion. |
Hi @julealgon. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation. |
Yes. I'll probably open a separate request over there at least for the idea of providing an overload where the
None of that applies to the underlying client used by Azure AppConfiguration's standard integration though, as that client is used much earlier in the "host building" pipeline where not even the DI container is ready yet. My expectation was that, this package being a "helper for when using
I disagree here. The purpose of This is why I feel adding such extensions here makes sense for this case. The native AppConfiguration package only concerns itself with the "raw" operations, while this here should add support for hosting, configuration, dependency injection and logging, which are all standard abstractions from Surely it would be possible to at least isolate the Before closing this issue, please reconsider extracting that logic that creates the token provider from config into a separate, public class, that more people can leverage. That would be an extremely simple way of allowing one to tap into the capability during configuration setup without needing you to write a bunch of custom extensions on top of AzureAppConfiguration (although that would probably be the ideal approach moving forward). |
@julealgon: I think there's a disconnect as to the intent and purpose of When this package was created, |
To me, these are basically synonyms at this point though, but fair enough.
I see. Well, if the team is already looking into native For now, I'll try to keep this "as dumb as possible" for us and avoid defining any custom extensions and attempting to integrate with I'm looking forward to those improvements you mentioned. I'm closing this then. |
Library name
Microsoft.Extensions.Azure
Please describe the feature.
I'd like to propose a way to leverage the
AzureComponentFactory
in contexts where we don't yet have aIServiceProvider
in place but we do have anIConfiguration
: more specifically, when configuring Azure AppConfiguration.AzureComponentFactory
is an abstract class today, and it's only implementation, calledAzureComponentFactoryImpl
, isinternal
and thus not accessible from the outside.Essentially, this is what I'd like to have:
However, there are a couple of problems there:
AddAzureAppConfiguration
that take aUri
: only ones that takestring
for the connectionString approach. Yes, I know that is handled byMicrosoft.Extensions.Configuration.AzureAppConfiguration
and is thus not part of this repositorytokenCredential
value, so even if 1 was in place, it would still not work. We have to do this now:This is "mostly fine" (even though I think its excessively verbose and the
credential
argument should just default toDefaultAzureCredential
anyways...), but the main issue starts when we have to deal with apps that are not hosted in Azure.We are in the process of integrating Azure AppConfiguration in a large number of projects, some hosted in Azure, some on-premise services, and even some that are hosted in AWS.
Over this past few days, I've been looking into what the cleanest/safest/most manageable way would be to integrate these various services. For anything directly hosted in Azure, the answer has been pretty clearly to leverage Managed Identity as much as possible, which led us to a solution like the above.
However, the problem starts with the on-premise services, where we are going with dedicated "service principals" created in Entra ID for the applications.
Currently, our code looks exactly the same for those services:
But now we realized we have a problem: we want to persist some of the non-sensitive values in local configuration, such as
appSettings.json
. But doing so, breaks the implementation as all 3 of the following are expected to be present as environment variables only:AZURE_TENANT_ID
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
If we move the tenant ID and the client ID (which are not secrets) to some other configuration source,
DefaultAzureCredential
cannot read them anymore (as it cannot rely onEnvironmentCredential
to fetch all 3 values). There is zero integration withIConfiguration
at this level. Suddenly, this becomes a huge mess:Having to read the individual values manually defeats the purpose of using
DefaultAzureCredential
(you can't even use it). You are then forced into changing the code to create an explicitClientSecretCredential
to pass in the 3 values. Then, if in the near future we want to switch to a cert-based auth, this needs to be changed manually again. And when we move the service from on-premises to inside Azure we have to update it yet again to change it back to eitherDefaultAzureCredential
or the specificManagedIdentityCredential
.This design seems terrible to me.
I found this library and immediately though we could use the
AzureComponentFactory
'sCreateTokenCredential(IConfiguration)
method. This would put us back into "sane" territory:But of course this doesn't work for a number of reasons:
AzureComponentFactory
isabstract
, and its only implementation,AzureComponentFactoryImpl
, isinternal
IServiceProvider
which we don't have at this point)AZURE_
prefix, and camelCase instead of snake_case...azure-sdk-for-net/sdk/extensions/Microsoft.Extensions.Azure/src/Internal/ClientFactory.cs
Lines 94 to 106 in 69b6ef7
At this point was when I decided to create this issue, because this seems extremely convoluted. I understand
Microsoft.Extensions.Azure
was created more to support clients such as the EventGrid one or direct KeyVault access, but the configuration flow needs some desperate help.Not only is it super verbose, but it is also extremely brittle and inconsistent: each change of direction requires significant code changes, naming changes, etc.
This will force me to create some crazy custom extensions to workaround some of those limitations such that we can minimize the number of times we have to touch our code once it is deployed and needs Azure auth changes.
At this point I feel like I'm doing something extremely wrong... hopefully that is the case and all of these problems I listed are non-issues with a different approach that I'm not seeing.
Slightly related to:
The text was updated successfully, but these errors were encountered: