Configuring ASP.NET Core Data Protection to a Service rather than a DB?

Question

User100248066 posted

The environment in question is the classical setup where the website is in a DMZ and can only talk to RESTful web services behind the DMZ.  Add to that the DB is NOT MS SQL, it is Oracle.  Are there any HOWTO's out there on configuring ASP.Net Core Data Protection to use a service and what that service needs to do?  

Another way to put it would be in terms used on the Configure ASP.NET Core Data Protection page is: how does one create a custom ProtectKeysWith* where the * is a service (as compared to file system, AzureKeyVault, or the other built in options).

Answer 1

User100248066 posted

So with no replies in 16 hours, I am digging deeper into the code and uncovering some interesting things which is starting to give me a path to do what I want, I think...  I would love to get a second opinion on it:

When wiring up the Data Protection, it requires a DB Context that MUST implement IDataProtectionKeyContext.  The interface requires a DbSet<DataProtectionKey> DataProtectionKeys { get; }.  This fact leads me to think the best solution is to actually implement a custom Entity Framework Data Provider that hits a service rather than a DB for this one case.

Generally speaking it seems like a lot of work to create a custom Data Provider, but considering how little it will need to do... I am thinking it won't be too hard.  Any thoughts?

Answer 2

User475983607 posted

Do you want the key store behind the web service?  If you are using Entity Framework code first then follow the docs to configure the key store and create a migration.  Or use XML.

https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/key-storage-providers?view=aspnetcore-3.1&tabs=visual-studio#entity-framework-core

If you take a look at the key storage provider docs, it illustrates you can create a custom key repository by implementing two methods; IXmlRepository.GetAllElements and IXmlRepository.StoreElement(XElement, String)

https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/key-storage-providers?view=aspnetcore-3.1&tabs=visual-studio#custom-key-repository.

Create a service on the on the UI side that implement the two methods.  You'll create similar Web API actions.  Design the client service to call the Web API URLs of the same name.

However, I do not understand the actual problem you are trying to solve.  Where do you need the protection?  On the Web Application?   If so, what are you protecting?