Deprecated Microsoft.Azure.KeyVault removed and replaced with

Azure.Security.KeyVault.Certificates

Author: Revsgaard

test/TestWebAppCoreAzureKeyVault/AzureKeyVault/ADTokenRequest.cs

@@ -1,7 +1,9 @@
-using ITfoxtec.Identity.Saml2;
+using Azure.Core;
+using Azure.Security.KeyVault.Certificates;
+using ITfoxtec.Identity.Saml2;
 using ITfoxtec.Identity.Saml2.Cryptography;
 using ITfoxtec.Identity.Saml2.Schemas.Metadata;
-using Microsoft.Azure.KeyVault;
+using RSAKeyVaultProvider;
 using System;
 using System.Linq;
 using System.Security.Cryptography.X509Certificates;
@@ -11,12 +13,12 @@ namespace TestWebAppCoreAzureKeyVault.Identity
     public class Saml2ConfigurationLogic
     {
         private readonly Saml2Configuration config;
-        private readonly KeyVaultClient keyVaultClient;
+        private readonly TokenCredential tokenCredential;
 
-        public Saml2ConfigurationLogic(Saml2Configuration config, KeyVaultClient keyVaultClient)
+        public Saml2ConfigurationLogic(Saml2Configuration config, TokenCredential tokenCredential)
         {
             this.config = config;
-            this.keyVaultClient = keyVaultClient;
+            this.tokenCredential = tokenCredential;
         }
 
         public string Saml2IdPMetadata{ get; set; }
@@ -33,10 +35,11 @@ public Saml2Configuration GetSaml2Configuration()
                 RevocationMode = config.RevocationMode
             };
 
-            var certificateBundle = keyVaultClient.GetCertificateAsync(AzureKeyVaultBaseUrl, AzureKeyVaultCertificateName).GetAwaiter().GetResult();
-            var publicCertificate = new X509Certificate2(certificateBundle.Cer);
+            var certificateClient = new CertificateClient(new Uri(AzureKeyVaultBaseUrl), tokenCredential);
+            var certificateWithPolicy = certificateClient.GetCertificate(AzureKeyVaultCertificateName);
 
-            var rsa = keyVaultClient.ToRSA(certificateBundle.KeyIdentifier, publicCertificate);
+            var publicCertificate = new X509Certificate2(certificateWithPolicy.Value.Cer);
+            var rsa = RSAFactory.Create(tokenCredential, certificateWithPolicy.Value.KeyId, new Azure.Security.KeyVault.Keys.JsonWebKey(publicCertificate.GetRSAPublicKey()));
             saml2Configuration.SigningCertificate = new Saml2X509Certificate(publicCertificate, rsa);
 
             //saml2Configuration.SignAuthnRequest = true;

test/TestWebAppCoreAzureKeyVault/AzureKeyVault/AppKeyVaultClient.cs

@@ -3,12 +3,11 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
-using ITfoxtec.Identity.Helpers;
 using ITfoxtec.Identity.Saml2.MvcCore.Configuration;
 using ITfoxtec.Identity.Saml2;
-using TestWebAppCoreAzureKeyVault.AzureKeyVault;
-using Microsoft.Azure.KeyVault;
 using TestWebAppCoreAzureKeyVault.Identity;
+using Azure.Core;
+using Azure.Identity;
 
 namespace TestWebAppCoreAzureKeyVault
 {
@@ -32,9 +31,9 @@ public void ConfigureServices(IServiceCollection services)
 
             services.AddSingleton(serviceProvider => 
             {
-                var keyVaultClient = serviceProvider.GetService<KeyVaultClient>();
+                var tokenCredential = serviceProvider.GetService<TokenCredential>();
 
-                return new Saml2ConfigurationLogic(saml2Configuration, keyVaultClient)
+                return new Saml2ConfigurationLogic(saml2Configuration, tokenCredential)
                 {
                     Saml2IdPMetadata = Configuration["Saml2:IdPMetadata"],
                     AzureKeyVaultBaseUrl = Configuration["AzureKeyVault:BaseUrl"],
@@ -44,11 +43,10 @@ public void ConfigureServices(IServiceCollection services)
 
             services.AddSaml2();
 
-            services.AddTransient<TokenHelper>();
-            services.AddSingleton(serviceProvider =>
+            //In production possible use: services.AddSingleton<TokenCredential, DefaultAzureCredential>();
+            services.AddSingleton<TokenCredential>(serviceProvider =>
             {
-                var tokenHelper = serviceProvider.GetService<TokenHelper>();
-                return AppKeyVaultClient.GetClient(Configuration["AzureKeyVault:ClientId"], Configuration["AzureKeyVault:ClientSecret"], tokenHelper);
+                return new ClientSecretCredential(Configuration["AzureKeyVault:TenantId"], Configuration["AzureKeyVault:ClientId"], Configuration["AzureKeyVault:ClientSecret"]);
             });
 
             services.AddHttpClient();

test/TestWebAppCoreAzureKeyVault/Logic/Saml2ConfigurationLogic.cs

@@ -24,9 +24,10 @@
 
   <ItemGroup>
     <PackageReference Include="BuildBundlerMinifier" Version="3.2.449" />
-    <PackageReference Include="ITfoxtec.Identity" Version="2.0.2" />
-    <PackageReference Include="Microsoft.Azure.KeyVault" Version="3.0.5" />
-    <PackageReference Include="RSAKeyVaultProvider" Version="1.1.57" />
+    <PackageReference Include="ITfoxtec.Identity" Version="2.5.6" />
+    <PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.2.0" />
+	<PackageReference Include="Azure.Identity" Version="1.5.0" />
+	<PackageReference Include="RSAKeyVaultProvider" Version="2.1.1" />
     <PackageReference Include="System.ServiceModel.Security" Version="4.8.0" />
   </ItemGroup>
 </Project>

test/TestWebAppCoreAzureKeyVault/Startup.cs

@@ -18,6 +18,7 @@
   //     itfoxtec.identity.saml2.testwebappcore_Certificate.pfx password: !QAZ2wsx
   // And configure your Azure Key Vault.
   "AzureKeyVault": {
+    "TenantId": "xxxx",
     "ClientId": "xxxx",
     "ClientSecret": "xxxx",
     "BaseUrl": "https://xxxx.vault.azure.net/",