Purpose: Accept the ASP.NET web application for Azure and use OAuth2 for Google, Twilio and SendGrid with a database for user information.
Problem: I get publishing errors when I use an external configuration file that supports my "appSettings" in my Web.config file. In Azure, I also entered credentials so that they are securely stored for Google OAuth2, which overrides published Web.config settings from my research and understanding. How to use and refer to my code sensitive credentials for Azure correctly and safely?
Research: I continue to follow this link step by step -
https://azure.microsoft.com/en-us/documentation/articles/web-sites-dotnet-deploy-aspnet-mvc-app-membership-oauth-sql-database/
This link also leads to another link for implementing Google OAuth2 below -
www.asp.net/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on
However, it is unsafe to place sensitive information in the web.config file, which is marked with a security note, which leads here to protect / best practices for deploying ASP.NET sensitive information for Azure -
www.asp.net/identity/overview/features-api/best-practices-for-deploying-passwords-and-other-sensitive-data-to-aspnet-and-azure
I understand that linking to an external file that stores sensitive data / credentials from the web.config file is best practice. I note that IIS does not serve * .config and because the specified location of the configuration file below "git add *" will not add sensitive credentials to the repository.
Web.config - (note the application settings on line 2)
</connectionStrings> <appSettings file="..\..\AppSettingsSecrets.config"> <add key="webpages:Version" value="3.0.0.0" /> <add key="webpages:Enabled" value="false" /> <add key="ClientValidationEnabled" value="true" /> <add key="UnobtrusiveJavaScriptEnabled" value="true" /> </appSettings> <system.web>
AppSettingsSecrets.config
<appSettings> <add key="mailAccount" value="My mail account." /> <add key="mailPassword" value="My mail password." /> <add key="TwilioSid" value="My Twilio SID." /> <add key="TwilioToken" value="My Twilio Token." /> <add key="TwilioFromPhone" value="+12065551234" /> <add key="GoogClientID" value="1.apps.googleusercontent.com" /> <add key="GoogClientSecret" value="My Google client secret." /> </appSettings>
How to correctly / safely refer to your ID and secret from AppSettingsSecrets.config from the code specified in step 7?
www.asp.net/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on
The corresponding code is shown below (note the bottom used for Google authentication):
public void ConfigureAuth(IAppBuilder app) { // Configure the db context and user manager to use a single instance per request app.CreatePerOwinContext(ApplicationDbContext.Create); app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create); // Enable the application to use a cookie to store information for the signed in user // and to use a cookie to temporarily store information about a user logging in with a third party login provider // Configure the sign in cookie app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/Account/Login"), Provider = new CookieAuthenticationProvider { OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>( validateInterval: TimeSpan.FromMinutes(30), regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)) } }); app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie); // Uncomment the following lines to enable logging in with third party login providers //app.UseMicrosoftAccountAuthentication( // clientId: "", // clientSecret: ""); //app.UseTwitterAuthentication( // consumerKey: "", // consumerSecret: ""); //app.UseFacebookAuthentication( // appId: "", // appSecret: ""); app.UseGoogleAuthentication( clientId: "000-000.apps.googleusercontent.com", clientSecret: "00000000000"); }
In addition, in the Azure Secrets Deployment Tutorial, this information is listed:
When you deploy your web app to Azure, the AppSettingsSecrets.config file won't be deployed (that what you want). You could go to the Azure Management Portal and set them manually, to do that: 1. Go to http://portal.azure.com, and sign in with your Azure credentials. 2. Click Browse > Web Apps, then click the name of your web app. 3. Click All settings > Application settings. The app settings and connection string values override the same settings in the web.config file. In our example, we did not deploy these settings to Azure, but if these keys were in the web.config file, the settings shown on the portal would take precedence.
This tells me that I can manually enter sensitive information into Azure through the portal and (suppose Im) is a safe way to store sensitive credentials privately, allowing my web application to access and use the information. (Please correct me if I am wrong!) However, when I manually entered this information, my web application now throws a runtime error, as shown below, as a link to the image:
Server Runtime Error
Any suggestions or other links or pointers / tips are welcome! Thanks in advance!
EDIT: After turning off customErrors in the web.config file and updating the Azure deployment, this is the error the site is now giving. Essentially, my code does not pull out the saved Google OAuth2 credentials that I saved in Azure. How do I get my code to pull out credentials stored in Azure for Google OAuth2? NewSiteError