Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Bearer Token Credentials #389

Closed
jongio opened this issue Feb 4, 2020 · 5 comments
Closed

Support Bearer Token Credentials #389

jongio opened this issue Feb 4, 2020 · 5 comments
Assignees
@XiaoningLiu
Labels
featureparity Tracking issues for catching up feature parity NewArch Tracking issues for NewArch v3.7.0

Comments

@jongio
Copy link
Member

jongio commented Feb 4, 2020
edited

Which service(blob, file, queue, table) does this issue concern?

Blob

Which version of the Azurite was used?

3.4.0

Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)

npm

What's the Node.js version?

v12.13

What problem was encountered?

Cannot use TokenCredentials

Steps to reproduce the issue?

Try to access Azurite with Azure Storage SDK

var client = new BlobContainerClient(new Uri(path), new DefaultAzureCredential());

The official SDK supports TokenCredential
https://docs.microsoft.com/en-us/dotnet/api/azure.storage.blobs.blobcontainerclient.-ctor?view=azure-dotnet#Azure_Storage_Blobs_BlobContainerClient__ctor_System_Uri_Azure_Core_TokenCredential_Azure_Storage_Blobs_BlobClientOptions_

Have you found a mitigation/solution?

I can use this code, but it is not ideal. I want to just use DefaultAzureCredential to work with emulator and azure.

var client = emulator ?
   new BlobContainerClient(connection, container) :
   new BlobContainerClient(new Uri(path), new DefaultAzureCredential());

Suggestion

Just like we have a well known account and key, I would like to see us publish a well known Bearer Token, that Azurite accepts, then update the DefaultAzureCredential to use that Bearer Token when it detects Azurite as the server.
This was referenced Feb 4, 2020
Closed
Closed
@jongio
Copy link
Member Author

jongio commented Feb 4, 2020
edited

To unblock the use of DefaultAzureCredential, I committed a naive implementation to my fork here: jongio@273e3b1

It only checks for the existence of a bearer token right now. It does not validate it in any way.

More details can be found here:

I posted this blog as a stopgap to help customers use Azurite with DefaultAzureCredential today. Ihttps://blog.jongallant.com/2020/02/azurite-https-defaultazurecredential/

@XiaoningLiu XiaoningLiu self-assigned this Feb 9, 2020
@XiaoningLiu XiaoningLiu added featureparity Tracking issues for catching up feature parity NewArch Tracking issues for NewArch labels Feb 9, 2020
@XiaoningLiu
Copy link
Member

Hi @jongio I'm evaluating Bearer challenge or OAuth support for Azurite. It can be very simple, just like your implementation or suggestion to use a well known token. Or it can be very complex, to support more scenarios during OAuth authentication. It sounds like a well-known token fits your needs, right?

@jongio
Copy link
Member Author

jongio commented Feb 9, 2020

I don’t need OAuth integration.

Options:

  1. Real Token from AAD
  • Not needed
  1. Any Token:
  • Works with live AAD or offline
  • Do we have security concerns with enabling “any” token like my impl? I mean what is the difference between any token and Specific token from a security perspective?
  • No SDK changes required. Will work without SDK dependency. But user will need to auth against valid DefaultAzureCredential type or create their own Credential type.
  • Please consider if we should do any format validation on it the provided token. Like decrypt parse as json. Consider perf implications with that.
  1. Specific Token
  • Works when completely disconnected Mode. No AAD dependency.
  • SDK needs new AzuriteCredential class to send the BearerToken

Either way the SDK would likely implement AzuriteCredential to enable the completely disconnected scenario. But would like to Azurite to support Any Token if no security concerns.

I recommend consulting with our security team for review. And reviewing existing Azurite customer security requirements

@andre2007
Copy link

I assume I have the same problem here. I try to access Azurite from azure-sdk-for-c by using the example https://github.com/Azure/azure-sdk-for-c/blob/master/sdk/storage/blobs/samples/src/blobs_client_example.c.

It expects tenant_id, client_id, client_secret and uri.
Please also see here Azure/azure-sdk-for-c#364

@jongio jongio mentioned this issue Feb 27, 2020
Merged
@XiaoningLiu
Copy link
Member

XiaoningLiu commented Apr 17, 2020
edited

Hi Guys,

v3.7.0 includes basic level OAuth (token) support. Try with following parameters to enable OAuth. Note that OAuth needs HTTPS.

azurite --oauth basic --cert server.pem --key key.pem

Thanks and worked with @jongio We have a long road plan for OAuth token support. The first step is about basic level OAuth supporting, in this step: Azurite will validate JWT token integrity, audience, issuer, expiry and etc. But it will not valid token signature. Azurite will accept any token your application currently using with Azure Storage. Or accept a self signed token for testing purpose in a disconnected scenario.

In the same time, basic level OAuth is not enabled by default. Azurite customers should enable OAuth with explict parameter and define OAuth levels. The reason is, basic level brings candidate back holes especially for customized storage account in Azurite. Basic level OAuth validation doesn't check signature, which means anyone can sign a token for Azurite.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@XiaoningLiu XiaoningLiu

Labels
featureparity Tracking issues for catching up feature parity NewArch Tracking issues for NewArch v3.7.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andre2007 @jongio @XiaoningLiu @vinjiang