Setting MachineKey via app settings

Question

We have an .NET 4.5.x oss application that we are deploying to azure websites using git deploy. We have a build server that commits the artifacts to a git repo and then we use it to git deploy. We use app settings in azure to control everything. However, I'm running into roadblocks finding a way to set the machine key via app settings / environmental variables. Anyone else run into this issue and solve it?

P.S., It seems the only thing that uses the machineKey in our app is SignalR... I wonder if there is a safe and secure way to replace IProtectData without using the machine key to generate tokens.

Azure website, it doesn't really matter tho, I just want to be able to configure this via app setting or environment variable. — Blake Niemyjski, Jul 14 '15 at 14:00
Is setting it in the `web.config` not workable for you? As in, do you expect this value to change, or can it be set once? — Brendan Green, Jul 14 '15 at 21:21
I don't want to set any secure value in my repo that may be public or exposed to the public (even if my artifacts repo is private, the artifacts content is still pushed to the public in zip form)... We are 100% open source company so everything we do is in the open. — Blake Niemyjski, Jul 15 '15 at 21:47

score 2 · Accepted Answer · edited May 23 '17 at 12:32

Like you I wanted to be able to set the machine keys but not commit them to the web.config which goes into source control and becomes a security risk, and be able to use the same per-environment config system we use with AppSettings. I did find a solution to this, though it's a bit ugly as it uses reflection to manipulate the MachineKeySection configuration.

var getter = typeof(MachineKeySection).GetMethod("GetApplicationConfig", BindingFlags.Static | BindingFlags.NonPublic);
var config = (MachineKeySection)getter.Invoke(null, Array.Empty<object>());

var readOnlyField = typeof(ConfigurationElement).GetField("_bReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);
readOnlyField.SetValue(config, false);

config.DecryptionKey = myKeys.EncryptionKey;
config.ValidationKey = myKeys.ValidationKey;

readOnlyField.SetValue(config, true);

I also wanted to be able to, if at all possible, extract and use the current machine keys on the production server, so as to not have to forcibly log off all our currently logged in users. I ended up doing something very similar to this answer, which also uses reflection.

Full solution: https://gist.github.com/cmcnab/d2bbed02eb429098ed3656a0729ee40a

I used this solution to setup an aspnet core webapi wich serves forms authentication in a will be deprecated version of the api... Thanks for this solution ! — Dreeco, Mar 14 '19 at 09:32

Setting MachineKey via app settings

1 Answers1