Authentication to Azure Key Vault

Question

I think I'm having difficulty understanding authentication for public client applications, specifically in relation to the Azure key vault.

I've been able to write some C# which builds a public client application, registered with Azure, and I can authenticate using a broker and my Windows domain login to get an oauth token without having to provide any password. I've successfully used that oauth token to call the RESTful API for the key vault, and have retrieved some secrets. I've used RBAC to grant the necessary permissions.

However, I know I'm supposed to use SecretClient to accomplish this. SecretClient requires a credential, but what I have is an oauth token. How can I create a credential that uses my oauth token?

I've been playing with the DefaultAzureCredential object, but I've only been able to get this working with environment variables (using a confidential client, which isn't what I want), or with my Visual Studio credentials. This then doesn't work on the test PC.

Any assistance would be greatly appreciated!

Below is an example of the code I thought would work on a domain joined PC where the user is logged in with their Entra ID.

        string tenantId = "<my tenant>";

        DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions();
        options.TenantId = tenantId;
        options.ExcludeEnvironmentCredential = true;
        DefaultAzureCredential credential = new DefaultAzureCredential(options);


        SecretClient client = new SecretClient(new Uri("https://mykeyvault.vault.azure.net/"), credential);

        string secretValue = client.GetSecret("mysecret").Value.Value;

        MessageBox.Show(secretValue);

Answer 1

However, I know I'm supposed to use SecretClient to accomplish this. SecretClient requires a credential, but what I have is an OAuth token. How can I create a credential that uses my OAuth token?

According to this MS-Document, it is not possible to access SecretClient without credentials.

The SecretClient requires a credential to authenticate with the Azure service, with DefaultAzureCredential or ClientSecretCredential.

In ClientSecretCredential, you also need to pass clientId, clientSecret, and tenantId to fetch the secrets from KeyVault.

Code:

using Azure.Security.KeyVault.Secrets;
using Azure.Identity;


namespace sample
{
    class Program
    {
        static async Task Main(string[] args)
        {
            string clientId = "xxxx";
            string clientSecret = "xxxxx";
            string tenantId = "xxxxx";

            var clientCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
            var client = new SecretClient(new Uri("https://<keyvaultname>.vault.azure.net/"), clientCredential);

            string secretValue = client.GetSecret("secret").Value.Value;

            Console.WriteLine(secretValue);
        }
    }
}

As of now, you need to use PCA (OAuth token) flow only.

Reference: Azure Key Vault secret client library for .NET - Azure for .NET Developers | Microsoft Learn