Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] User Delegation SAS with skt field not present leads to Authentication Failure #44113

Open
Miraj50 opened this issue May 17, 2024 · 1 comment
Open

[BUG] User Delegation SAS with skt field not present leads to Authentication Failure #44113

Miraj50 opened this issue May 17, 2024 · 1 comment
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team. Storage Storage Service (Queues, Blobs, Files)

Comments

@Miraj50
Copy link

Miraj50 commented May 17, 2024
edited

Library name and version

Azure.Storage.Blobs v12.17.0

Describe the bug

https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#construct-a-user-delegation-sas
In the doc above, it's mentioned that skt is an optional field and if the value omitted, the current time is assumed.

I tried generating a user delegation SAS where I didn't specify the StartsOn parameter of BlobSasBuilder (I believe it assumes the min vale of DateTime in this case). The SAS generated did not have the skt field in it. When I used the SAS to access the blob, I got an authentication failure message saying that skt field is mandatory. (P.S. the startsOn parameter in the GetUserDelegationKey method also had the minValue of DateTimeOffset)

As per the docs, this should have worked as skt is optional and if the value omitted, the current time is assumed. Please let me know if I am missing something here.

If I set the StartsOn to an explicit value of say, DateTimeOffset.UtcNow, then everything works fine.

Expected behavior

The User Delegation SAS should work, even if the skt field is not present and I should be able to read the blob.

Actual behavior

Authentication Failure.

<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:6b1b22e5-501e-003d-3657-a8807a000000 Time:2024-05-17T12:41:05.6183342Z</Message>
<AuthenticationErrorDetail>skt is mandatory. Cannot be empty</AuthenticationErrorDetail>
</Error>

Reproduction Steps

Initialize a blobServiceClient and a blobClient.

Create a BlobSasBuilder object like this:

{
    BlobContainerName = "<>",
    BlobName = "<>",
    ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(5)
};

Generate a UserDelegationKey:

UserDelegationKey userDelegationKey = blobServiceClient.GenerateUserDelegationKey(builder.StartsOn, builder.ExpiresOn);

Generate User Delegation SAS

return new BlobUriBuilder(this.BlobClient.Uri)
{
    Sas = builder.ToSasQueryParameters(userDelegationKey, blobClient.AccountName)
}.ToUri();

Paste the SAS Uri in the browser to read the blob.

Environment

No response
@github-actions github-actions bot added Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team. Storage Storage Service (Queues, Blobs, Files) labels May 17, 2024
@github-actions GitHub Actions
Copy link

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team. Storage Storage Service (Queues, Blobs, Files)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Miraj50