Unseen secrets – using KeyVault to protect OAuth2 token requests
Premier Dev Consultant Marius Rochon shares an example using Azure Functions and Key Vault to sign OAuth2 client assertions used to obtain JWT tokens from Azure AD.
This sample implements an Azure Function App, which uses Azure KeyVault to sign OAuth2 client assertions used to obtain JWT tokens from Azure AD. The private key used to sign the client assertion and thus authenticate the function to Azure AD is generated in the KeyVault and never leaves that service (it is not exportable). This prevents potential credentials theft, which could occur if the key was generated outside of the KeyVault and then deployed, read into the function code itself or used directly in the assertion as a symmetric key would.
Using Azure AD Managed Identities, we can ensure that only this Function App has access to the signing key in the vault and therefore protect other resources it accesses using OAuth2 tokens.
For your convenience, this walkthrough and sample code are provided on GitHub.