extensions: KeyVault 2.2 nuget: Could not load file or assembly 'Microsoft.IdentityModel.Clients.ActiveDirectory.Platform'

I don’t think that’s an option for me as I’m running on dotnet core 3.1 and the 3.14.2 DLL isn’t compatible with that from what I understand.

Moreover, I’m interested in a response from the ASPNet team on the proper fix for this.

Just ran into this as well. The problem is sinister because .Platform it isn’t listed as a direct dependency of anything other than AppAuth. However, forcing AppAuth to 1.4 doesn’t help as something in the configuration extensions IS referencing platform without stating it’s dependency as direct.

Even if this wasn’t breaking, this should be fixed to help customers align various dependency chains where possible.

https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication/1.4.0 has been released

Can we get an update on when Microsoft.Extensions.Configuration.AzureKeyVault will be modified to use it?

I am seeing the same issue with 3.1.1 on netCore3.1. I am trying to build with following references.

<PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="3.1.1" />
<PackageReference Include="Microsoft.ServiceFabric.AspNetCore.Kestrel" Version="4.0.464" />
<PackageReference Include="Microsoft.Bot.Builder.Integration.AspNet.Core" Version="4.7.2" />
<PackageReference Include="Microsoft.Extensions.Configuration.AzureKeyVault" Version="3.1.1" />

We’ve got a complete update to our Azure Integration packages like this (as well as DataProtection) coming soon (as part of the 3.1 series of packages). The newer Azure SDK packages include breaking changes so these will be introduced as new packages rather than an update to the existing ones. However, the API is the same (the “breaking change” is that they bring in the new Azure SDK, which may be breaking to your app if you are using the SDK directly somewhere).

FYI: The 2.2 packages are end-of-life and 3.0 is not far behind it. I’d suggest moving to 3.1 when these new packages are released (I’ll update this thread when that happens). See the full .NET Core support policy for more information.

Same issue as @dotnetcanuck and @Mdub28. Using a certificate to authorize with key vault. Found that using client secret works, but that’s not really a solution, at best a temporary fix if the cert issue is getting fixed.

Anyways, implementing the keyvault client your self seems to work fine…

public class ShitfixKeyVaultClient : KeyVaultClient
{
    private static readonly TokenCache tokenCache = new TokenCache();
    private static Dictionary<string,X509Certificate2> certificates = new Dictionary<string, X509Certificate2>();

    public ShitfixKeyVaultClient(string clientId, string thumbprint) 
        : base((authority, resource, scope) => GetAccessTokenAsync(clientId, thumbprint, authority, resource, scope))
    {
    }

    public static async Task<string> GetAccessTokenAsync(string clientId, string thumbprint, string authority, string resource, string scope)
    {
        var pfx = FindCertificateByThumbprint(thumbprint, StoreLocation.CurrentUser);

        AuthenticationContext authContext = new AuthenticationContext(authority, tokenCache);
        var credentials = new ClientAssertionCertificate(clientId, pfx);
        var authToken = await authContext.AcquireTokenAsync(resource, credentials);
        return authToken.AccessToken;
    }

    private static X509Certificate2 FindCertificateByThumbprint(string findValue, StoreLocation location)
    {
        if (certificates.ContainsKey(findValue))
            return certificates[findValue];

        X509Store store = new X509Store(StoreName.My, location);
        try
        {
            store.Open(OpenFlags.ReadOnly);
            X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindByThumbprint, findValue, false);
            if (col == null || col.Count == 0)
                return null;

            certificates[findValue] = col[0];
            return col[0];
        }
        finally
        {
            store.Close();
        }
    }
}

And can be used like

public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
        .ConfigureAppConfiguration((ctx, configBuilder) =>
        {
            var config = configBuilder.Build();
            var client = new ShitfixKeyVaultClient(config["AzureAd:ClientId"], config["AzureAd:CertThumprint"]);
            configBuilder.AddAzureKeyVault("https://myvault.vault.azure.net", client, new DefaultKeyVaultSecretManager());
        })
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.UseStartup<Startup>();
        });

Probably gonne be a better way to do this, but after a day of 🤔 😕 😖 😭 😠 🤔 i’m not gonne spend more time on this 😛

@Pilchie Regarding the last few comments, is this something we should update? (I believe I only sent the PR last time while helping Nate get things working.)

@MattSFT This is still an issue even with using AppAuth v1.3.0. Regardless of which version of AppAuth I use, Microsoft.Extensions.Configuration.AzureKeyVault requires Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll to exist. In fact, for my app using cert auth into keyvault, AppAuth isn’t even being used and the reference to Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll seems to be directly from AzureKeyVault. I was able to get my app to work by manually including the missing dll, without having to reference AppAuth at all. Seems like this is an issue that needs to be fixed with AzureKeyVault as it has an implicit dependency on Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll and one that is outdated as the dll is no longer packaged in later versions. If any other dependency requires higher version of ActiveDirectory, then you will be unable to run your app without manually referencing a downloaded Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll.

My code usage:

        return WebHost.CreateDefaultBuilder(args)
           .UseSetting(WebHostDefaults.DetailedErrorsKey, "true")
           .ConfigureAppConfiguration((context, builder) =>
           {
               builder.AddDMServiceConfiguration(context);
               var builtConfig = builder.Build();
               using (var store = new X509Store(StoreName.My,StoreLocation.CurrentUser))
               {
                   store.Open(OpenFlags.ReadOnly);
                   var certs = store.Certificates
                       .Find(X509FindType.FindByThumbprint, builtConfig["ApplicationIdentity:CertThumbprint"], false);

                   builder.AddAzureKeyVault(
                       $"https://{builtConfig["KeyVault:Name"]}.vault.azure.net/",
                       builtConfig["ApplicationIdentity:AppId"],
                       certs.OfType<X509Certificate2>().Single());

                   store.Close();
               }
           })
           .ConfigureServices((context, serviceCollection) =>
           {
               serviceCollection.AddDMLogging(context);
           });