« Back to home

Dealing with secrets in ASP .NET Core

Daj się poznać

This is a short post to complement my post about the configuration in ASP .NET Core. I’ll write about how to add secret settings to your application. ASP .NET Core created a new concept to deal with this. The first thing I did was to add this to the dependencies in project.json:

"Microsoft.Extensions.Configuration.UserSecrets": "1.0.0-rc1-final"

Then inside the constructor of the Startup class I added:

if (env.IsDevelopment())

Then I added something like this to project.json:

  "userSecretsId": "idsrv-demo",

This is an ID for the secret storage of your application.

Next, I installed the latest version of runtime and set the alias to point at it, all in one command. The command was:

dnvm upgrade

The next step was adding a global command user-secret by executing the following command:

dnu commands install Microsoft.Extensions.SecretManager

As a result, I can add secret settings with commands like this:

 user-secret set GoogleIdentityProvider:ClientId "342665198077-2lb7ai2oljrojkia5ob4e4kf0rnkeo33.apps.googleusercontent.com"

In this command, GoogleIdentityProvider:ClientId is a hierarchical key for the setting where the hierarchy is built by the colon. You can see all your secret settings with the command user-secret list executed in the root folder of the project.

I just want to point out that I did everything on Linux. However, on Windows, other than using this option, you can also add secret settings from Visual Studio by right clicking on the project and then clicking on Manage User Secret and the you can edit file secrets.json which contains all your secret settings assigned to this project.

Manage User Secrets

A good practice is to put all the secret settings somewhere so the other project participants can find out what they should also provide. I added a whole section of my secrets to the file appsettings.json so it looked like this:


All you have to do when working with Visual Studio, is copy this section to secrets.json and then provide the correct settings. I could do it even better by putting this secret settings structure in a separate file so it would be more obvious which part of the settings is secret.

In this post, I have written about how I provide secret settings for my application, and in the next post I will write how I use these settings to authenticate user using Google Identity Provider from IdentityServer4.

Related posts:


comments powered by Disqus