Skip to content

Added steps explaining token cache on distributed environment #195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 30, 2019
Merged

Added steps explaining token cache on distributed environment #195

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
094a9be
Added steps explaining token cache on distributed environment
Oct 17, 2019
400e28d
Addressed PR reviews
Oct 23, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 78 additions & 1 deletion 6-Deploy-to-Azure/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,84 @@ In the left-hand navigation pane, select the **Azure Active Directory** service,

Secure key management is essential to protect data in the cloud. Use [Azure Key Vault](https://azure.microsoft.com/en-ca/services/key-vault/) to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs).

You can follow [this sample](https://github.com/Azure-Samples/app-service-msi-keyvault-dotnet) as a guide on how to use Azure KeyVault from App Service with Managed Service Identity (MSI).
Use [this sample](https://github.com/Azure-Samples/app-service-msi-keyvault-dotnet) as a guide on how to use Azure Key Vault from App Service with Managed Service Identity (MSI).

## MSAL token cache on distributed environments

The samples in this tutorial have their token cache providers configured for apps running on a single machine. On a production environment, these apps could be deployed in many machines for scalability purpose, so the token cache provider needs to be configured accordingly for this distributed architecture.

These are the necessary changes for each cache provider option:

### In memory

If you want to use in memory cache, use this configuration on `Startup.cs`:

```csharp
services.AddDistributedTokenCaches()
.AddDistributedMemoryCache();
```

### Redis

If you want to use a distributed Redis cache, use this configuration on `Startup.cs`:

```csharp
services.AddDistributedTokenCaches()
.AddStackExchangeRedisCache(options =>
{
options.Configuration = "<your_redis_primary_connection_string_here>";
options.InstanceName = "<your_redis_instance_name>";
});
```

### SQL Server

There are two options for distributed SQL cache:

- [using .Net Core distributed cache extensions](https://docs.microsoft.com/en-us/aspnet/core/performance/caching/distributed?view=aspnetcore-2.2)
- [configuring DataProtection for distributed environments](https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-2.2)

#### If you want to use .Net Core distributed cache extensions

Create the cache database by running the CLI (change the parameters according to your configurations)

```csharp
dotnet sql-cache create "<your DB connection string>" dbo <cacheTableName>
```

Then use this configuration on `Startup.cs`:

```csharp
services.AddDistributedTokenCaches()
.AddDistributedSqlServerCache(options =>
{
options.ConnectionString = "<your_sql_connection_string_here>";
options.SchemaName = "dbo";
options.TableName = "<your_cache_table_name_here>";
});
```

#### If you want to configure `DataProtection` for distributed environments

You have to configure the key ring storage to a centralized location. It could be in [Azure Key Vault](https://azure.microsoft.com/services/key-vault/) or on a [UNC share](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsc/149a3039-98ce-491a-9268-2f5ddef08192).

> **Note**: If you change the key persistence location, the system no longer automatically encrypts keys at rest. It is recommended that you use one of the ProtectKeysWith* methods listed [in this doc](https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-2.2).

For Azure Key Vault, configure the system with [PersistKeysToAzureBlobStorage](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.dataprotection.azuredataprotectionbuilderextensions.persistkeystoazureblobstorage?view=aspnetcore-2.2) (also consider using [ProtectKeysWithAzureKeyVault](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.dataprotection.azuredataprotectionbuilderextensions.protectkeyswithazurekeyvault)) in the `Startup` class:

```csharp
services.AddDataProtection()
.PersistKeysToAzureBlobStorage("<storage account connection or uri>");
```

> **Note**: Your app must have **Unwrap Key** and **Wrap Key** permissions to the Azure Key Vault.

For UNC share, configure the system with [PersistKeysToFileSystem](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionbuilderextensions.persistkeystofilesystem) (also consider using [ProtectKeysWithCertificate](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionbuilderextensions.protectkeyswithcertificate?view=aspnetcore-2.2)) in the `Startup` class:

```csharp
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"));
```

## Community Help and Support

Expand Down