Contest: Find the secret value in a Business Central app kauffmann.nl/2020/01/23/cont… #MSDyn365BC

If the secret is in the app, why not inserting the secret directly in the source code at compilation time done by a pipeline? The secret could reside in an Azure Key Vault....

Because secrets don't belong in code, in my opinion. This was perfectly explained by @RockClimber81 in his blog post navrockclimber.github.io/sec…

I agree and the idea is not put the secret in the code during development but at the moment you compile the app (by injecting the secret in a non debuggable procedure). It is like signing your app before publishing: you let a pipeline do that. Just an idea...

Seems not really different to me than having it in a navx in the app file: in both cases the key is compromised if you get the app file and you need to update the app to distribute a new key, is not it ?

Putting it in Navx file was an experiment. Next to what I wrote in my blog the big problems are what do you do if your key gets compromised? How do you update the keys and customers? I lay down a few requirements towards keys/secrets in this blog post: navrockclimber.github.io/htm…

My idea, in short, is that the secret in the navxdata file is used as a one time key. It should be exchanged for an access key that will give access to an Azure Key Vault. That's where the real secrets should be stored. The initial key was needed to prove that it is your app.

It started with writing a blog post about OAuth authentication flow. But hiding the client secret was something I wanted to solve first. But you know what? I just found a way to work without a secret. And 100% secure! New blog posts and code will be online soon (=next week)