Azurite Table storage AuthorizationFailure via Postman

[jorgembutron]

Which service(blob, file, queue, table) does this issue concern?

table

Which version of the Azurite was used?

azurite ver. 3.15.0

Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)

npm

What's the Node.js version?

v16.14.0

What problem was encountered?

Can not access from postman to a Table storage using the 'Get Shared Access Signature' menu to get the SAS (azurite ver. 3.15.0): http://127.0.0.1:10002/devstoreaccount1/Todo?st=2022-02-17T00%3A48%3A00Z&se=2022-03-01T00%3A48%3A00Z&sp=r&sv=2018-03-28&tn=todo&sig=Gj0TASrvZJYA84wHXqpiDJWR3s9Dn6aM68zTWFn%2BVkA%3D

Response 403

AuthorizationFailure Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature. RequestId:4fde75ff-5bc8-46b0-beb0-ed7c85555e46 Time:2022-02-24T01:03:54.759Z

Steps to reproduce the issue?

Create a table
Use the 'Get Shared Access Signature' context menu to get the SAS
Request via Postman

If possible, please provide the debug log using the -d parameter, replacing <pathtodebuglog> with an appropriate path for your OS, or review the instructions for docker containers:

2022-02-24T15:34:17.338Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 info: TableStorageContextMiddleware: RequestMethod=GET RequestURL=http://127.0.0.1/devstoreaccount1/Todo?comp=acl RequestHeaders:{"x-ms-client-request-id":"3a51b680-9587-11ec-a171-3b59fbf574bf","user-agent":"Microsoft Azure Storage Explorer, 1.22.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v14.16.0; Windows_NT 10.0.22000)","x-ms-version":"2018-03-28","x-ms-date":"Thu, 24 Feb 2022 15:34:17 GMT","accept":"application/atom+xml,application/xml","accept-charset":"UTF-8","content-type":"","content-length":"0","authorization":"SharedKey devstoreaccount1:sUNi3ygCN1YCaUfjbsOZHy5ypoJMR7o6m1w0ods6Aiw=","host":"127.0.0.1:10002","connection":"keep-alive"} ClientIP=127.0.0.1 Protocol=http HTTPVersion=1.1
2022-02-24T15:34:17.338Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 debug: tableStorageContextMiddleware: Dispatch pattern string: /Todo()
2022-02-24T15:34:17.338Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 info: tableStorageContextMiddleware: Account=devstoreaccount1 tableName=Todo
2022-02-24T15:34:17.338Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 verbose: DispatchMiddleware: Dispatching request...
2022-02-24T15:34:17.339Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 info: DispatchMiddleware: Operation=Table_GetAccessPolicy
2022-02-24T15:34:17.339Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 verbose: AuthenticationMiddlewareFactory:createAuthenticationMiddleware() Validating authentications.
2022-02-24T15:34:17.339Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 info: TableSharedKeyLiteAuthenticator:validate() Start validation against account shared key authentication.
2022-02-24T15:34:17.339Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 info: TableSharedKeyLiteAuthenticator:validate() Request doesn't include valid authentication header. Skip SharedKeyLite authentication.
2022-02-24T15:34:17.339Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 info: TableSharedKeyAuthenticator:validate() Start validation against account shared key authentication.
2022-02-24T15:34:17.339Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 info: TableSharedKeyAuthenticator:validate() [STRING TO SIGN]:"GET\n\n\nThu, 24 Feb 2022 15:34:17 GMT\n/devstoreaccount1/devstoreaccount1/Todo?comp=acl"
2022-02-24T15:34:17.340Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 info: TableSharedKeyAuthenticator:validate() Calculated authentication header based on key1: SharedKey devstoreaccount1:sUNi3ygCN1YCaUfjbsOZHy5ypoJMR7o6m1w0ods6Aiw=
2022-02-24T15:34:17.340Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 info: TableSharedKeyAuthenticator:validate() Signature 1 matched.
2022-02-24T15:34:17.340Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 verbose: DeserializerMiddleware: Start deserializing...
2022-02-24T15:34:17.340Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 info: HandlerMiddleware: DeserializedParameters={"options":{"requestId":"3a51b680-9587-11ec-a171-3b59fbf574bf"},"comp":"acl","version":"2018-03-28"}
2022-02-24T15:34:17.340Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 verbose: SerializerMiddleware: Start serializing...
2022-02-24T15:34:17.341Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 debug: Serializer: Raw response body string is
2022-02-24T15:34:17.341Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 info: Serializer: Start returning stream body.
2022-02-24T15:34:17.341Z 30323dd0-8a65-4f10-a6bc-e5611af3a542 info: EndMiddleware: End response. TotalTimeInMS=3 StatusCode=200 StatusMessage=OK Headers={"server":"Azurite-Table/3.15.0","x-ms-client-request-id":"3a51b680-9587-11ec-a171-3b59fbf574bf","x-ms-request-id":"30323dd0-8a65-4f10-a6bc-e5611af3a542","x-ms-version":"2021-02-12","date":"Thu, 24 Feb 2022 15:34:17 GMT","content-type":"application/xml"}
2022-02-24T15:35:01.975Z 744071a3-4d10-44c3-9a23-734754e6da9e info: TableStorageContextMiddleware: RequestMethod=GET RequestURL=http://127.0.0.1/devstoreaccount1/Todo?st=2022-02-17T15%3A19%3A00Z&se=2022-02-28T15%3A19%3A00Z&sp=r&sv=2018-03-28&tn=todo&sig=rhkaJn5zJlOWGc3wBuhNGAlwOKOMd4HYBI4GUH72zAA%3D RequestHeaders:{"user-agent":"PostmanRuntime/7.29.0","accept":"/","postman-token":"f473b363-ce00-43f9-94b5-1d841b63dc65","host":"127.0.0.1:10002","accept-encoding":"gzip, deflate, br","connection":"keep-alive"} ClientIP=127.0.0.1 Protocol=http HTTPVersion=1.1
2022-02-24T15:35:01.975Z 744071a3-4d10-44c3-9a23-734754e6da9e debug: tableStorageContextMiddleware: Dispatch pattern string: /Todo()
2022-02-24T15:35:01.975Z 744071a3-4d10-44c3-9a23-734754e6da9e info: tableStorageContextMiddleware: Account=devstoreaccount1 tableName=Todo
2022-02-24T15:35:01.975Z 744071a3-4d10-44c3-9a23-734754e6da9e verbose: DispatchMiddleware: Dispatching request...
2022-02-24T15:35:01.975Z 744071a3-4d10-44c3-9a23-734754e6da9e info: DispatchMiddleware: Operation=Table_QueryEntities
2022-02-24T15:35:01.975Z 744071a3-4d10-44c3-9a23-734754e6da9e verbose: AuthenticationMiddlewareFactory:createAuthenticationMiddleware() Validating authentications.
2022-02-24T15:35:01.975Z 744071a3-4d10-44c3-9a23-734754e6da9e info: TableSharedKeyLiteAuthenticator:validate() Start validation against account shared key authentication.
2022-02-24T15:35:01.975Z 744071a3-4d10-44c3-9a23-734754e6da9e info: TableSharedKeyLiteAuthenticator:validate() Request doesn't include valid authentication header. Skip SharedKeyLite authentication.
2022-02-24T15:35:01.975Z 744071a3-4d10-44c3-9a23-734754e6da9e info: TableSharedKeyAuthenticator:validate() Start validation against account shared key authentication.
2022-02-24T15:35:01.975Z 744071a3-4d10-44c3-9a23-734754e6da9e info: TableSharedKeyAuthenticator:validate() Request doesn't include valid authentication header. Skip shared key authentication.
2022-02-24T15:35:01.976Z 744071a3-4d10-44c3-9a23-734754e6da9e info: AccountSASAuthenticator:validate() Start validation against account Shared Access Signature pattern.
2022-02-24T15:35:01.976Z 744071a3-4d10-44c3-9a23-734754e6da9e debug: AccountSASAuthenticator:validate() Getting account properties...
2022-02-24T15:35:01.976Z 744071a3-4d10-44c3-9a23-734754e6da9e debug: AccountSASAuthenticator:validate() Retrieved account name from context: devstoreaccount1, table: undefined
2022-02-24T15:35:01.976Z 744071a3-4d10-44c3-9a23-734754e6da9e debug: AccountSASAuthenticator:validate() Got account properties successfully.
2022-02-24T15:35:01.976Z 744071a3-4d10-44c3-9a23-734754e6da9e debug: AccountSASAuthenticator:validate() Retrieved signature from URL parameter sig: rhkaJn5zJlOWGc3wBuhNGAlwOKOMd4HYBI4GUH72zAA=
2022-02-24T15:35:01.976Z 744071a3-4d10-44c3-9a23-734754e6da9e info: AccountSASAuthenticator:validate() Failed to get valid account SAS values from request.
2022-02-24T15:35:01.976Z 744071a3-4d10-44c3-9a23-734754e6da9e info: TableSASAuthenticator:validate() Start validation against table service Shared Access Signature pattern.
2022-02-24T15:35:01.976Z 744071a3-4d10-44c3-9a23-734754e6da9e debug: TableSASAuthenticator:validate() Getting account properties...
2022-02-24T15:35:01.976Z 744071a3-4d10-44c3-9a23-734754e6da9e debug: TableSASAuthenticator:validate() Retrieved account name from context: devstoreaccount1, table: Todo
2022-02-24T15:35:01.976Z 744071a3-4d10-44c3-9a23-734754e6da9e debug: TableSASAuthenticator:validate() Got account properties successfully.
2022-02-24T15:35:01.976Z 744071a3-4d10-44c3-9a23-734754e6da9e debug: TableSASAuthenticator:validate() Retrieved signature from URL parameter sig: rhkaJn5zJlOWGc3wBuhNGAlwOKOMd4HYBI4GUH72zAA=
2022-02-24T15:35:01.976Z 744071a3-4d10-44c3-9a23-734754e6da9e debug: TableSASAuthenticator:validate() Successfully got valid table service SAS values from request. {"version":"2018-03-28","startTime":"2022-02-17T15:19:00Z","expiryTime":"2022-02-28T15:19:00Z","permissions":"r","tableName":"Todo"}
2022-02-24T15:35:01.976Z 744071a3-4d10-44c3-9a23-734754e6da9e info: TableSASAuthenticator:validate() Validate signature based account key1.
2022-02-24T15:35:01.977Z 744071a3-4d10-44c3-9a23-734754e6da9e debug: TableSASAuthenticator:validate() String to sign is: "r\n2022-02-17T15:19:00Z\n2022-02-28T15:19:00Z\n/table/devstoreaccount1/Todo\n\n\n\n2018-03-28\n\n\n\n"
2022-02-24T15:35:01.977Z 744071a3-4d10-44c3-9a23-734754e6da9e debug: TableSASAuthenticator:validate() Calculated signature is: S1geTBBjCe7WJa2A1HJVnVX+DPh+ZfwPnMr5Bw0S3do=
2022-02-24T15:35:01.977Z 744071a3-4d10-44c3-9a23-734754e6da9e info: TableSASAuthenticator:validate() Signature based on key1 validation failed.
2022-02-24T15:35:01.977Z 744071a3-4d10-44c3-9a23-734754e6da9e error: ErrorMiddleware: Received a MiddlewareError, fill error information to HTTP response
2022-02-24T15:35:01.977Z 744071a3-4d10-44c3-9a23-734754e6da9e error: ErrorMiddleware: ErrorName=StorageError ErrorMessage="Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature." ErrorHTTPStatusCode=403 ErrorHTTPStatusMessage=undefined ErrorHTTPHeaders={"x-ms-error-code":"AuthorizationFailure","x-ms-request-id":"744071a3-4d10-44c3-9a23-734754e6da9e","x-ms-version":"2021-02-12"} ErrorHTTPBody="\n\n AuthorizationFailure\n Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.\nRequestId:744071a3-4d10-44c3-9a23-734754e6da9e\nTime:2022-02-24T15:35:01.977Z\n" ErrorStack=""StorageError: Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.\n at Function.getAuthorizationFailure (C:\\Users\\xyz\\AppData\\Roaming\\npm\\node_modules\\azurite\\dist\\src\\table\\errors\\StorageErrorFactory.js:50:16)\n at C:\\Users\\xyz\\AppData\\Roaming\\npm\\node_modules\\azurite\\dist\\src\\table\\middleware\\AuthenticationMiddlewareFactory.js:21:56\n at processTicksAndRejections (node:internal/process/task_queues:96:5)""
2022-02-24T15:35:01.977Z 744071a3-4d10-44c3-9a23-734754e6da9e error: ErrorMiddleware: Set HTTP code: 403
2022-02-24T15:35:01.977Z 744071a3-4d10-44c3-9a23-734754e6da9e error: ErrorMiddleware: Set HTTP Header: x-ms-error-code=AuthorizationFailure
2022-02-24T15:35:01.977Z 744071a3-4d10-44c3-9a23-734754e6da9e error: ErrorMiddleware: Set HTTP Header: x-ms-request-id=744071a3-4d10-44c3-9a23-734754e6da9e
2022-02-24T15:35:01.977Z 744071a3-4d10-44c3-9a23-734754e6da9e error: ErrorMiddleware: Set HTTP Header: x-ms-version=2021-02-12
2022-02-24T15:35:01.977Z 744071a3-4d10-44c3-9a23-734754e6da9e error: ErrorMiddleware: Set content type: application/xml
2022-02-24T15:35:01.978Z 744071a3-4d10-44c3-9a23-734754e6da9e error: ErrorMiddleware: Set HTTP body: "\n\n AuthorizationFailure\n Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.\nRequestId:744071a3-4d10-44c3-9a23-734754e6da9e\nTime:2022-02-24T15:35:01.977Z\n"
2022-02-24T15:35:01.978Z 744071a3-4d10-44c3-9a23-734754e6da9e info: EndMiddleware: End response. TotalTimeInMS=3 StatusCode=403 StatusMessage=Forbidden Headers={"server":"Azurite-Table/3.15.0","x-ms-error-code":"AuthorizationFailure","x-ms-request-id":"744071a3-4d10-44c3-9a23-734754e6da9e","x-ms-version":"2021-02-12","content-type":"application/xml"}
2022-02-24T15:35:02.462Z info: AccountDataStore:init() Refresh accounts from environment variable AZURITE_ACCOUNTS with value undefined
2022-02-24T15:35:02.463Z info: AccountDataStore:init() Fallback to default emulator account devstoreaccount1.
2022-02-24T15:35:02.600Z info: AccountDataStore:init() Refresh accounts from environment variable AZURITE_ACCOUNTS with value undefined
2022-02-24T15:35:02.600Z info: AccountDataStore:init() Fallback to default emulator account devstoreaccount1.
2022-02-24T15:35:02.665Z info: QueueGCManager:markSweepLoop() Start new mark and sweep.
2022-02-24T15:35:02.665Z info: QueueGCManger:markSweep() Get all extents.
2022-02-24T15:35:02.665Z info: QueueGCManager:marksweep() Get 0 extents.
2022-02-24T15:35:02.665Z info: QueueGCManager:markSweep() Get referred extents, then remove from allExtents.
2022-02-24T15:35:02.666Z info: QueueGCManager:markSweep() Got referred extents, unreferenced extents count is 0.
2022-02-24T15:35:02.666Z info: QueueGCManager:markSweepLoop() Mark and sweep finished, take 1ms.
2022-02-24T15:35:02.666Z info: QueueGCManager:markSweepLoop() Sleep for 60000
2022-02-24T15:35:02.666Z info: AccountDataStore:init() Refresh accounts from environment variable AZURITE_ACCOUNTS with value undefined
2022-02-24T15:35:02.666Z info: AccountDataStore:init() Fallback to default emulator account devstoreaccount1.

-d "<pathtodebuglog>"

Please be sure to remove any PII or sensitive information before sharing!
The debug log will log raw request headers and bodies, so that we can replay these against Azurite using REST and create tests to validate resolution.

Have you found a mitigation/solution?

NO

[XiaoningLiu]

Are you using Storage Explorer as mentioned in "Use the 'Get Shared Access Signature' context menu to get the SAS"?

[jorgembutron]

Are you using Storage Explorer as mentioned in "Use the 'Get Shared Access Signature' context menu to get the SAS"?

Yes, I am

[leidegre]

I can confirm. Having this exact same problem. There's no reason why this shouldn't work but it is not working. Doing the same thing and switching to a Azure Storage Account works.

[supertgtline]

maybe we can't get information by using emulator in Azure through postman

[blueww]

It looks this issue is caused by the table name in the string to sign is not lower case: "r\n2022-02-17T15:19:00Z\n2022-02-28T15:19:00Z\n/table/devstoreaccount1/Todo\n\n\n\n2018-03-28\n\n\n\n".
But according to link, Table names must be lowercase in canonicalizedResource in the stringToSign of SAS.

If we use lower case table name in StringTosign "r\n2022-02-17T15:19:00Z\n2022-02-28T15:19:00Z\n/table/devstoreaccount1/todo\n\n\n\n2018-03-28\n\n\n\n" : the signature is "rhkaJn5zJlOWGc3wBuhNGAlwOKOMd4HYBI4GUH72zAA=", which is same as SAS signature from storage explorer.

We should fix Azurite table SAS authentication, but calculate the canonicalizedResource with lower case table name:

Azurite/src/table/authentication/ITableSASSignatureValues.ts

Line 248 in d2dcc4d

return `/table/${accountName}/${tableName}`;