SOLVED

How do I hide/encrypt connection strings or API keys in my web parts?

%3CLINGO-SUB%20id%3D%22lingo-sub-2663009%22%20slang%3D%22en-US%22%3EHow%20do%20I%20hide%20or%20encrypt%20connection%20strings%20or%20API%20keys%20in%20my%20web%20parts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2663009%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20making%20API%20calls%20in%20my%20web%20parts%20to%20get%20information%20from%20other%20apps%20within%20our%20company.%20I%20am%20storing%20the%20API%20keys%20and%20connection%20strings%20(urls)%20to%20these%20APIs%20in%20a%20settings%20files%20but%20all%20of%20it%20can%20be%20viewed%20in%20plain%20text%20when%20I%20view%20the%20SharePoint%20site%20in%20the%20browser%20and%20look%20at%20the%20source%20code.%20Is%20there%20a%20way%20to%20hide%20this%20information%20from%20the%20user%3F%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2663870%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20I%20hide%2Fencrypt%20connection%20strings%20or%20API%20keys%20in%20my%20web%20parts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2663870%22%20slang%3D%22en-US%22%3EFor%20APIs%2C%20they%20should%20be%20secured%20with%20Azure%20AD%20and%20requests%20should%20be%20authenticated%20in%20order%20to%20reach%20the%20API%2C%20so%20should%20not%20be%20a%20problem%20if%20the%20API%20URL%20is%20discovered%20by%20users%20as%20they%20would%20still%20need%20to%20authenticate.%3CBR%20%2F%3ERegarding%20API%20keys%20for%20services%20that%20may%20not%20support%20authentication%2C%20I%20would%20recommend%20creating%20a%20simple%20API%20to%20handle%20all%20the%20user%20requests.%20Like%20above%2C%20API%20would%20be%20secured%20by%20Azure%20AD%20and%20receive%20only%20authenticated%20requests%20from%20users.%20The%20keys%20to%20the%20last%20API%20could%20be%20secured%20with%20KeyVault%20and%20retrieved%20by%20your%20API%20when%20needed%2C%20so%20all%20handled%20on%20the%20backend%20and%20never%20exposed%20in%20the%20browser%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps%3C%2FLINGO-BODY%3E
New Contributor

I am making API calls in my web parts to get information from other apps within our company (not hosted in SharePoint).  I am storing the API keys and connection strings (urls) to these APIs in a settings files but all of it can be viewed in plain text when I view the SharePoint site in the browser and look at the source code. The same goes for API keys that are required to use third party software in my web parts. Is there a way to hide this information from the user? Thanks.

3 Replies
best response confirmed by Juan Carlos González Martín (MVP)
Solution
For APIs, they should be secured with Azure AD and requests should be authenticated in order to reach the API, so should not be a problem if the API URL is discovered by users as they would still need to authenticate.
Regarding API keys for services that may not support authentication, I would recommend creating a simple API to handle all the user requests. Like above, API would be secured by Azure AD and receive only authenticated requests from users. The keys to the last API could be secured with KeyVault and retrieved by your API when needed, so all handled on the backend and never exposed in the browser

Hope this helps

@Joel Rodrigues Thanks for your response. I figured using the AadHttpClient was the way to go after doing some research. Do you know if it's possible to use the same app registration in Azure for multiple versions of the same API call? For example, I have DEV/QA/PROD versions of an API and they all use a different URL for the endpoint. For example, the QA one has "qa" at the beginning of the URL.

 

From what I've researched, when I create an app registration I have to use the endpoint URL (like qa.website.com/api) as the Application ID URI. If that's the case does that mean I have to create an app registration for DEV, QA, and PROD?

@kbeeveer46 happy to help

Regarding the app registration, yes, you can use the same app for multiple APIs. You can do this by using (for example) the default naming convention for the App ID URL (api://id_of_the_app) instead of the function URL. You just need to ensure that when you setup the API authentication, you allow that App ID URL to be an accepted audience and also use that same value as the audience when getting the tokens from SPFx.

 

If you use one app registration for each API, just make sure that you use the correct App ID URI when requesting the token and all should work the same.

 

I think the discussion on whether to use one single app or multiple is complex and I won't go into it :) I have used both approaches in the past for different projects and it really depends on a lot of things. I think that the recommendation is to use one app per resource whenever possible, but this is not always possible. For example I had clients refusing this and enforcing a single app registration to multiple resources because of their internal policies. Either way, technically both works :)