Remove DataProtection configuration from Sidecar (#3776)

Agent-Logs-Url: https://github.com/AzureAD/microsoft-identity-web/sessions/bf35223d-645a-489b-9d64-3769b4a891af

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>
Co-authored-by: Bogdan Gavril <bogavril@microsoft.com>

Author: Copilot

src/Microsoft.Identity.Web.Sidecar/Program.cs

@@ -3,9 +3,7 @@
 
 using System.Diagnostics.CodeAnalysis;
 using System.IdentityModel.Tokens.Jwt;
-using System.Security.Cryptography.X509Certificates;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
-using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Identity.Web.Sidecar.Endpoints;
 using Microsoft.IdentityModel.JsonWebTokens;
 
@@ -49,8 +47,6 @@ public static void Main(string[] args)
             });
         }
 
-        ConfigureDataProtection(builder);
-
         // Add the agent identities and downstream APIs
         builder.Services.AddAgentIdentities()
                .AddDownstreamApis(builder.Configuration.GetSection("DownstreamApis"));
@@ -103,40 +99,4 @@ private static void ConfigureAuthN(WebApplicationBuilder builder)
                 options.TokenValidationParameters.NameClaimType = "sub";
             });
     }
-
-    private static void ConfigureDataProtection(WebApplicationBuilder builder)
-    {
-        var dataProtectionBuilder = builder.Services.AddDataProtection()
-            .SetApplicationName("Microsoft.Identity.Web.Sidecar");
-
-        // Configure based on environment
-        if (builder.Environment.IsProduction())
-        {
-            // Production configuration for Linux containers
-            var keysPath = Environment.GetEnvironmentVariable("DATA_PROTECTION_KEYS_PATH") ?? "/app/keys";
-
-            // Ensure the directory exists
-            Directory.CreateDirectory(keysPath);
-
-            dataProtectionBuilder.PersistKeysToFileSystem(new DirectoryInfo(keysPath));
-
-            // Optional: Configure key encryption if certificate is available
-            var certPath = Environment.GetEnvironmentVariable("DATA_PROTECTION_CERT_PATH");
-            if (!string.IsNullOrEmpty(certPath) && File.Exists(certPath))
-            {
-                var certPassword = Environment.GetEnvironmentVariable("DATA_PROTECTION_CERT_PASSWORD");
-#pragma warning disable SYSLIB0057 // Type or member is obsolete, No overload for new API accepts a password.
-                var cert = new X509Certificate2(certPath, certPassword);
-#pragma warning restore SYSLIB0057 // Type or member is obsolete
-                dataProtectionBuilder.ProtectKeysWithCertificate(cert);
-            }
-        }
-        else
-        {
-            // Development configuration
-            var keysPath = Path.Combine(builder.Environment.ContentRootPath, "keys");
-            Directory.CreateDirectory(keysPath);
-            dataProtectionBuilder.PersistKeysToFileSystem(new DirectoryInfo(keysPath));
-        }
-    }
 }

src/Microsoft.Identity.Web.Sidecar/README.md

@@ -47,7 +47,6 @@ Settings are supplied via `appsettings.json`, environment variables, or any stan
 
 - **AzureAd**: Standard Microsoft.Identity.Web web API registration; client credentials are optional if only delegated flows are required.
 - **DownstreamApis**: Named profiles for endpoints resolved via `{apiName}`.
-- **Data protection**: In production the app persists keys to `DATA_PROTECTION_KEYS_PATH` (default `/app/keys`) and optionally protects them with a certificate referenced via `DATA_PROTECTION_CERT_PATH` and `DATA_PROTECTION_CERT_PASSWORD`.
 
 ## Running the sidecar