CustomProvider CreateManagedServiceIdentityTokenProvider

JKeet · March 11, 2020, 11:47am

Dear,

We don’t want to use credentials in the connectionstring any more so we are looking in to use a custom token provider. In the endpointConfiguration I add a CustomTokenProvider:

var tokenProvider = TokenProvider.CreateManagedServiceIdentityTokenProvider();
endpointConfiguration.Transport.CustomTokenProvider(tokenProvider);

I added the application identity to bij service bus credentials.

But i get the following error:
[11/03/2020 11:40:45] A host error has occurred during startup operation ‘GUID’.
[11/03/2020 11:40:45] Microsoft.Azure.ServiceBus: Value cannot be null.
[11/03/2020 11:40:45] Parameter name: ServiceBusConnection doesn’t have a valid token provider.

Is there something that i miss? Or is there more documentation how to use the CustomTokenProvider?

Thank you in advance

John

SeanFeldman · March 11, 2020, 6:47pm

Hi John,

What’s the connection string you’re providing the transport with?
Please mask sensitive information.

JKeet · March 12, 2020, 7:41am

Hallo Sean,

Endpoint=sb://----.-----.servicebus.windows.net/

Thank you for your reply

SeanFeldman · March 12, 2020, 8:24am

There are different token providers. Without specifying via connection string which one do you want to use, the underlying SDK will attempt to use SAS token.

It should be Endpoint=sb://----.-----.servicebus.windows.net/;Authentication=Managed Identity.

JKeet · March 12, 2020, 11:08am

Now i’m getting
Value cannot be null.
Parameter name: provider

JKeet · March 12, 2020, 1:04pm

Ok, but then this is not the security what i’m looking for. I want to use the management identity in azure so we don’t have to use any token in the connections strings.

using Microsoft.Azure.ServiceBus.Primitives

transport.CustomTokenProvider(TokenProvider.CreateManagedServiceIdentityTokenProvider());

Will not work then.

SeanFeldman · March 12, 2020, 6:59pm

UPDATE: see more detailed reply here.

I might have not been clear on this.

You do not need any SAS tokens, keys, or anything else. Your connection string indicates what namespace you’re using and specifying that the authentication to use is Managed Identity. The token provider still needs to be registered and that’s TokenProvider.CreateManagedServiceIdentityTokenProvider(). With those two it works.

How do you validate it doesn’t work? Where do you run it?

markgould · March 12, 2020, 4:25pm

I use it like this and it works great:

transport.CustomTokenProvider(TokenProvider.CreateManagedIdentityTokenProvider());

Connection string: Endpoint=sb://*****.servicebus.windows.net/

I also have a reference to Microsoft.Azure.Services.AppAuthentication

SeanFeldman · March 12, 2020, 8:54pm

Let me clarify.

There’s no need to include the reference to Microsoft.Azure.Services.AppAuthentication. It’s a dependency for Azure Service Bus SDK/client which is transitively brought into your project when the ASB transport is used.

The combination of the connection string (w/o key and token) and a specified TokenProvider should work.

The connection string with the Authentication=Managed Identity part is necessary when the application is compiled to work with the ASB transport that is configured using connection string only and the code cannot be updated and redeployed (ServiceControl for example).

To sum it up, there are two options:

Use connection string and specify the authentication option in the connection string.
Provide the connection string with the namespace FQDN and in the code register a token provider.

Hope that clarifies this.