azure-sdk-for-net: KeyVault fails on .Net Framework 4.7

Code that works on .Net Framework 4.61 fails on .Net Framework 4.7

To Repro:

packages: Microsoft.Extensions.Configuration.1.1.2 Microsoft.Extensions.Configuration.AzureKeyVault.1.0.2

namespace ConsoleApp1
{
    using System;
    using System.Security.Cryptography.X509Certificates;
    using Microsoft.Extensions.Configuration;

    class Program
    {
        static void Main(string[] args)
        {
            X509Certificate2 clientCertificate;
            X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            try
            {
                store.Open(OpenFlags.ReadOnly);

                var certificates = store.Certificates.Find(X509FindType.FindByThumbprint, "SOME_THUMBPRINT", false);
                clientCertificate = certificates[0];
            }
            finally
            {
                store.Close();
            }

            var builder = new ConfigurationBuilder()
                .AddAzureKeyVault("https://YOUR_VAULT.vault.azure.net/", "CLIENT_ID", clientCertificate);

            builder.Build(); // Exception happens here
            Console.WriteLine("Done!");
            Console.ReadLine();
        }
    }
}

Simplified exception stacktrace

Exception: Object reference not set to an instance of an object.
   at Microsoft.IdentityModel.Clients.ActiveDirectory.CryptographyHelper.GetCryptoProviderForSha256(RSACryptoServiceProvider rsaProvider)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.CryptographyHelper.SignWithCertificate(String message, X509Certificate2 certificate)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.ClientAssertionCertificate.Sign(String message)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.JsonWebToken.Sign(IClientAssertionCertificate credential)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.ClientKey.AddToParameters(IDictionary`2 parameters)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<SendTokenRequestAsync>d__64.MoveNext()
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<RunAsync>d__55.MoveNext()
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenForClientCommonAsync>d__49.MoveNext()
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__27.MoveNext()
   at Microsoft.Extensions.Configuration.AzureKeyVaultConfigurationExtensions.<GetTokenFromClientCertificate>d__5.MoveNext()
   at Microsoft.Azure.KeyVault.KeyVaultCredential.<PostAuthenticate>d__9.MoveNext()
   at Microsoft.Azure.KeyVault.KeyVaultCredential.<ProcessHttpRequestAsync>d__10.MoveNext()
   at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretsWithHttpMessagesAsync>d__66.MoveNext()
   at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<GetSecretsAsync>d__49.MoveNext()
   at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.<LoadAsync>d__5.MoveNext()
   at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.Load()
   at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1 providers)
   at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 3
  • Comments: 18 (5 by maintainers)

Most upvoted comments

OK so there is a fairly simple workaround for this; not completely elegant, but pragmatic.

I added to my project an explicit nuget package reference to a later minor version of Microsoft.IdentityModel.Clients.ActiveDirectory and this issue went away. So instead of the default nested reference of 3.14.2, the project specifies 3.19.8 and all is good. You can see by browsing the nested dependencies that this later version is substituted there also.

If anyone thinks there is risk with this please do register your thoughts.

+4
TPucke on Apr 25, 2019

Is there anything blocking progress on this issue? If I understand correctly, Microsoft.Azure.Services.AppAuthentication must reference a newer version of Microsoft.IdentityModel.Clients.ActiveDirectory and Microsoft.Extensions.Configuration.AzureKeyVault must reference the new version of Microsoft.Azure.Services.AppAuthentication?

+4
stijnherreman on Jul 31, 2018

Team, are you going to update the package to reference the version of Microsoft.IdentityModel.Clients.ActiveDirectory package where the bug was fixed? In some scenarios when you don’t control the host application (e.g. Azure Functions compiled library) adding different version of the Microsoft.IdentityModel.Clients.ActiveDirectory is not possible because no binding redirects are generated, so the runtime tries to find the exact package version which was referenced by the KeyVault package.

+4
andriysavin on Feb 14, 2018
Read more comments on GitHub
← azure-sdk-for-net: KeyVault configuration extension failure
azure-sdk-for-net: LLC does not add api-version to LRO URI in `UpdateStatus()` →