This post assumes you have some experience or understanding around Microsoft DevOps and how pipelines are setup.
This is an annoying issue I experienced recently on working with Pipelines, ADFS groups and permissions. The solution, or more like a gotcha, turned out to be a very simple but unexpected one.
A bit of background, the product I was building has a .NET Core API with Authorization Filters that check the user’s ADFS groups, the group names to be checked are saved in Key Vault secrets. And we use pipeline variables to override Key Vault on deployment. Pretty straight forward.
Now the group names are saved as [domain]\[group], something like the following:
And this is the code to get the settings value:
protected string GetSetting(string settingName, string defaultValue, bool ignorePrefix = false)
{
string key = ignorePrefix
? settingName
: $"{_keyPrefix}:{settingName}";
return Environment.GetEnvironmentVariable($"APPSETTING_{key}") ??
this._configuration.GetSection(key).Value ?? defaultValue;
}When you save string values from DevOps UI, you kinda expect the forward slash will be escaped properly for read and write, so when you read the value from key vault, it will still be evaluated correctly with the slash in the text.
But it doesn’t, C# will interpret it as escape character and try to escape the next character.
It was fine most of the time until your the “slash char” actually can be escaped to something else. like \t…. so when you happen to have something like testDomain\twoGroups, the \t will be read in as a tab space. And, you probably guessed the issue, your endpoint will always return 403 as you are now testing for group “testDomain woGroups”.
The solution is simply just escape the \ at the end, but was an annoying issue to discover. So next time, please do remember to escape your string in the pipeline variables as the integrating code may or may not interpret it properly.
