Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Bearer Token Credentials #389

Open
jongio opened this issue Feb 4, 2020 · 3 comments
Open

Support Bearer Token Credentials #389

jongio opened this issue Feb 4, 2020 · 3 comments
Assignees

Comments

@jongio
Copy link
Member

@jongio jongio commented Feb 4, 2020

Which service(blob, file, queue, table) does this issue concern?

Blob

Which version of the Azurite was used?

3.4.0

Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)

npm

What's the Node.js version?

v12.13

What problem was encountered?

Cannot use TokenCredentials

Steps to reproduce the issue?

Try to access Azurite with Azure Storage SDK

var client = new BlobContainerClient(new Uri(path), new DefaultAzureCredential());

The official SDK supports TokenCredential
https://docs.microsoft.com/en-us/dotnet/api/azure.storage.blobs.blobcontainerclient.-ctor?view=azure-dotnet#Azure_Storage_Blobs_BlobContainerClient__ctor_System_Uri_Azure_Core_TokenCredential_Azure_Storage_Blobs_BlobClientOptions_

Have you found a mitigation/solution?

I can use this code, but it is not ideal. I want to just use DefaultAzureCredential to work with emulator and azure.

var client = emulator ?
   new BlobContainerClient(connection, container) :
   new BlobContainerClient(new Uri(path), new DefaultAzureCredential());

Suggestion

Just like we have a well known account and key, I would like to see us publish a well known Bearer Token, that Azurite accepts, then update the DefaultAzureCredential to use that Bearer Token when it detects Azurite as the server.

@jongio

This comment has been minimized.

Copy link
Member Author

@jongio jongio commented Feb 4, 2020

To unblock the use of DefaultAzureCredential, I committed a naive implementation to my fork here: jongio@273e3b1

It only checks for the existence of a bearer token right now. It does not validate it in any way.

More details can be found here:

I posted this blog as a stopgap to help customers use Azurite with DefaultAzureCredential today. Ihttps://blog.jongallant.com/2020/02/azurite-https-defaultazurecredential/

@XiaoningLiu

This comment has been minimized.

Copy link
Member

@XiaoningLiu XiaoningLiu commented Feb 9, 2020

Hi @jongio I'm evaluating Bearer challenge or OAuth support for Azurite. It can be very simple, just like your implementation or suggestion to use a well known token. Or it can be very complex, to support more scenarios during OAuth authentication. It sounds like a well-known token fits your needs, right?

@jongio

This comment has been minimized.

Copy link
Member Author

@jongio jongio commented Feb 9, 2020

I don’t need OAuth integration.

Options:

  1. Real Token from AAD
  • Not needed
  1. Any Token:
  • Works with live AAD or offline
  • Do we have security concerns with enabling “any” token like my impl? I mean what is the difference between any token and Specific token from a security perspective?
  • No SDK changes required. Will work without SDK dependency. But user will need to auth against valid DefaultAzureCredential type or create their own Credential type.
  • Please consider if we should do any format validation on it the provided token. Like decrypt parse as json. Consider perf implications with that.
  1. Specific Token
  • Works when completely disconnected Mode. No AAD dependency.
  • SDK needs new AzuriteCredential class to send the BearerToken

Either way the SDK would likely implement AzuriteCredential to enable the completely disconnected scenario. But would like to Azurite to support Any Token if no security concerns.

I recommend consulting with our security team for review. And reviewing existing Azurite customer security requirements

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.