Lets say my WEBSITE_AUTH_SIGNING_KEY was compromised.
Is there a way to generate a new one?
I tried going to kudu, opening the console and typing set WEBSITE_AUTH_SIGNING_KEY = new key. It works but as soon as the site is restarted it goes back to the original value.
Edit:
I also tried with:
app.UseAppServiceAuthentication(new AppServiceAuthenticationOptions
{
SigningKey = ConfigurationManager.AppSettings["SigningKey"],
ValidAudiences = new[] { ConfigurationManager.AppSettings["ValidAudience"] },
ValidIssuers = new[] { ConfigurationManager.AppSettings["ValidIssuer"] },
TokenHandler = config.GetAppServiceTokenHandler()
});
This seems to work (don't know if it is the corret way of doing it). But for Facebook authentication (the endpoint /.auth/login/facebook) it does not use my custom key or valid audience or anything, it uses the defaults and i can't change them. This seems like a bug in Azure maybe which is very annoying and makes the whole thing pretty useless if it can't be changed.
Thanks
According your description, you have:
tried going to kudo, opening the console and typing set WEBSITE_AUTH_SIGNING_KEY = new key
But have you replaced the configuration setting in your portal? Please try to change the WEBSITE_AUTH_SIGNING_KEY
setting in your Azure Mobile Apps portal.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With