Introduction
I have an ASP.NET Core 2.2 web application with a third party authorization/authentication service to handle a private key.
I am attempting to keep the private key out of source control and using a global environment variable set on my computer that contains the private key value.
But it would appear it is not working even though I can see it’s value output into the path variable when I enter the command “path” into the CLI. I have gone through so many articles about hiding a private key via a global windows environment variable but they’re all to do with Node.js apps. I suspect the problem lies on the client.
Steps to reproduce
To summarise the steps:
-
OPTIONAL Create an Auth0 account and use their quickstart if you want for ASP.NET Core v2.1. And once you have downloaded the app, copy the Client Secret value to clipboard.
-
Type into your start menu search bar “Edit environment variables for your account” and select that option when it appears.
-
Add new variable called AUTH0_CLIENT_SECRET which will be for our private key.
-
Swap this made up private key value…
"ClientSecret": "78y9t3287UYIG32e3redfe"
For the global environment variable we created in the Environment Variables window.
"ClientSecret": "{AUTH0_CLIENT_SECRET}"
Expected behaviour
I can authorize my user like I always have been able to sign into the application.
Actual behaviour
Moment I sign in I will get this error.
Message contains error: 'access_denied', error_description: 'Unauthorized', error_uri: 'error_uri is null', status code '401'.
Environment data
Version: 2.2.6
Runtime Environment:
OS Name: Windows
OS Version: 10.0.18363
OS Platform: Windows
RID: win10-x64