Is there a way to regenerate Azure Blob Storage SAS token - node.js

I use azure-sdk-for-js (NodeJS).
Particularly - #azure/storage-blob#12.6.0.
I have a service which generates SAS tokens and they expire in few minutes. I want somehow request new tokens after previous expire. And this should be done even in the middle of operation. Because when I upload big file to blob, in the middle SAS token expires and upload fails.
I have a worked example of what I need, but with EventHub.
I create event hub client with:
new EventHubProducerClient(eventHubHost, eventHubName, sasGenerator)
And sasGenerator is emplementation of TokenCredential. It returns generated AccessToken (which have SAS token and expiresOnTimestamp). And if I got it correctly, EventHubProducerClient use my sasGenerator to refresh tokens when needed.
I found that BlobServiceClient have similar argument credential which can have type of TokenCredential. But the same approach as with EventHub doesn't work:
new BlobServiceClient(blobHost, sasGenerator)
Example of Error:
RestError: Server failed to authenticate the request. Please refer to the information in the www-authenticate header
I also was able to use generated SAS token with AnonymousCredential and it works. But I'm not able to upload big file to blob because the token expires earlier.

Please check the below points ,if they can be worked around
The error Server failed to authenticate the request. Please refer to the information in the www-authenticate header possibly may be due to an issue with your account name/key stored in the the config file or connection string.
It may be due to permissions not in correct order .See Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. And valid permission order.
Came across this Article on how to inject new SAS for an ongoing uploading .
The scenario provides sample to request a new SAS token during the uploading instead of starting a new upload.
SEE:
work-with-shared-access-signatures
Best practices using sas

Related

Generate/retrieve a SAS token programmatically for specific Blob/File under azure storage account via REST API in POSTMAN and then in IBM APP Connect

I have requirement where it has to be done programmatically using POSTMAN REST API, where I have to upload a file/blob to Azure storage account and retrieve the unique URL of the specific file that I have uploaded, and I have to share that URL to third party so that they can view it on browser.
This is what I have done in the POSTMAN
Request:
PUT https://{storage-account-name}.blob.core.windows.net/{container-name}/{file-name}{SAS-token}
Headers:
x-ms-version: 2020-04-08
x-ms-blob-type: BlockBlob
x-mock-response-name: Upload Blob
Body: Attached a file from my local
Response:
I have received 200 code and file is successfully uploaded. However, in the response headers I don't see any URL or unique SAS token that I can share to my third-party client.
I have also tried adding se and sp to sas token, I got the below error
AuthenticationFailed
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:65282b4e-401e-0050-2337-43ee90000000 Time:2023-02-18T01:20:28.3522177Z
**Signature did not match. String to sign used was r 2023-02-18T09:12:15Z /blob/storage-account-name/container-name/file-name.txt 2021-06-08 b **
Note: We don't want to generate SAS token manually from Azure portal for each file and construct the URL and share it to the client due to high traffic coming in. Once it is successful using POSTMAN. I have to implement the same in IBM App Connect enterprise, ESQL coding*
All the suggestions are much appreciated. Thank you in advance.
Retrieve the unique URL of the specific file that I have uploaded programmatically and share that URL with third party so that they can view it on browser.
In addition to the se and sp parameters, the following parameters are required to construct the correct SAS URL:
signed version (sv)
signed resource (sr)
signature
Your error message says that the signature does not match the rest of the URL. Signature a hash-based message authentication code (HMAC) that you compute over the string-to-sign and key by using the SHA256 algorithm, and then encode by using Base64 encoding
You can find how to construct the string-to-sign and signature depending on the version on this documentation page.
Postman has a built-in JavaScript library that can help you to calculate HMAC:
CryptoJS.HmacSHA1("string-to-sign", "key").toString()

Azure Container Apps with Dapr state store failing

I am using Azure Container apps with Azure Blob Store as a state store. It is a simple Hello World (weather service) app using dotnet 6. App starts up fine, on Post I am trying to save the generated weather information to Azure Blob Store as JSON. I have configured Dapr components in Azure Container Apps for StateStore using Azure blob storage. I am using storage key (secondary key) as explained in this Microsoft documentation
Upon doing a Swagger and looking at log I get the following error.
Dapr.DaprException: State operation failed: the Dapr endpoint indicated a failure. See InnerException for details.
2022-07-17T01:10:35.716245402Z ---> Grpc.Core.RpcException: Status(StatusCode="Internal", Detail="failed saving state in state store statestore: -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/work/1/go/pkg/mod/github.com/!azure/azure-storage-blob-go#v0.10.0/azblob/zc_storage_error.go:42
2022-07-17T01:10:35.716524109Z ===== RESPONSE ERROR (ServiceCode=AuthenticationFailed) =====
2022-07-17T01:10:35.716795515Z Description=Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
2022-07-17T01:10:35.716812515Z RequestId:863bcef4-401e-0069-5f7a-99724b000000
2022-07-17T01:10:35.716820115Z Time:2022-07-17T01:10:35.7137648Z, Details:
2022-07-17T01:10:35.716825516Z AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.
2022-07-17T01:10:35.716831516Z Code: AuthenticationFailed
Error is Authentication Failed. I am unsure what I am missing since I am not making any additional config in storage account such as VNET service end point etc. Account is enabled for Key access. Any help is appreciated.
Below is the code that I am using
using var client = new DaprClientBuilder().Build();
var forecast = new WeatherForecast()
{
Date = DateTime.Now.AddDays(1),
TemperatureC = Random.Shared.Next(-20, 55),
Summary = Summaries[Random.Shared.Next(Summaries.Length)]
};
await client.SaveStateAsync<WeatherForecast>(stateStoreName,key,forecast);
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
i think i found the answer. The issue was with metadata since the key set in metadata of the component.yaml as mentioned in the Microsoft documentation is not working. I changed it to use secretref and referred in metadata directly in the portal. Not sure why the error was showing Authentication error but it is finally working.

Azure Media Services Widevine and PlayReady DRM Error: Unable to decrypt encrypted video source 0x20500004

I am trying to upload a video file and stream it with DRM using Azure Media Services,
So far I managed to upload the file, get a streaming URL and get a token but when trying to play it on http://ampdemo.azureedge.net/ I am getting an error
Unable to decrypt encrypted video source 0x20500004
Been searching for a couple of hours now for what might cause the issue but haven't found anything that helped.
I used this repo (and changed the keys to my own)
https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/StreamFilesWithDRMSample/index.ts
In addition, I created a content key policy named CommonEncryptionCencDrmContentKeyPolicy with license type PlayReady and Restriction type token
Can anyone help and share what am I missing here?
Thanks!
Make sure you are using https:// for everything.... don't mix http: on any URLs
That's usually the issue.
Update:
I can't quite spot the issue within the token, but it could be something to do with the way that you have defined the restriction in the ContentKeyPolicyTokenRestriction object.
Make sure that your issuer and audience match what you passed into the JWT token. If the sample worked for you, it might be the difference.
let restriction: ContentKeyPolicyTokenRestriction = {
odataType: "#Microsoft.Media.ContentKeyPolicyTokenRestriction",
issuer: issuer,
audience: audience,
primaryVerificationKey: primaryKey,
restrictionTokenType: "Jwt",
alternateVerificationKeys: undefined,
requiredClaims: requiredClaims
}
Check through all pats that set the Content Key Policy token restriction up, and make sure that it matches your required claims passed into the JWT token.

SharePoint API: Invalid Access Token Resource

I am trying to obtain an access token for use with the SharePoint Rest API. For my organizations base site. I am able to obtain a token and use that token to make subsequent requests successfully.
Next, I followed the same process and created more app permissions for a different site: {{tenant removed}}/sites/testsite. I was initially unable to create the request for the token because the resource parameter was not valid (see image below):
Per the URI encoding standards, I replaced the "/" in the site url with "%2f" and I am able to get a token (see image below):
Next however, the requests using that token to the API fail:
{
"error_description":
"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
}
In the response header:
3000003;reason="Invalid audience Uri
'00000003-0000-0ff1-ce00-000000000000/{{tenant
removed}}%2fsites%2f{{removed}}#{{realm
removed}}'.";category="invalid_client"
Did I encode the resource incorrectly? What am I missing? How can I use this method to get information from the other site?
I can see many developers making the same assumption when they create requests, since almost all documentation don't point out this scenario. You will be able to obtain a token for the site successfully as long as the resource is in a valid uri format, there is no validation done on the uri itself. Even if you get a token it will not work for any requests.
When fetching the access token for subsites (i.e: {{tenant}}/sites/testsite ). The resource part of the request body does not need to be modified.
So, for example, when you are getting a token for test.sharepoint.com/sites/testsite the resource of the request body should just be:
00000003-0000-0ff1-ce00-000000000000/test.sharepoint.com#{{realm}} (without /sites/testsite)
However, when you make HTTP requests to the API with the token, you should use the full site name. Example:
https://test.sharepoint.com/sites/testsite/_api/web/

Docusign API's failing after an hour

I have a docusign-sandbox account. I am trying to integrate docusign with my application and am using JWT Grant for authentication in java. I got a sample code from https://github.com/docusign/eg-01-java-jwt and it works perfectly for an hour and then the API starts failing.
Any idea how I can tackle this issue?
I'm getting the below error
I already tried changing the Token expiry time from 1hr to other lesser values(5 min, 30 min). Even then the APIs start failing exactly after an hour.
https://github.com/docusign/eg-01-java-jwt
ERROR MESSAGE
{"timestamp":1560750467288,"status":500,"error":"Internal Server Error","message":"Error while requesting server, received a non successful HTTP code 401 with response Body: '{\r\n \"errorCode\": \"USER_AUTHENTICATION_FAILED\",\r\n \"message\": \"One or both of Username and Password are invalid. Invalid access token\"\r\n}'","path":"{path}"}
Found a way around the problem.
The access token was being generated but for some reason it was not updating the token in the ApiClient Object and was using the old token only.
So now I am just creating a new ApiClient Object every time the token expires instead of replacing the old token with the new one.
The jwt grant returns an access token that is only valid for 1 hour. After that, you need to generate a new token for another hour.
Call the example's checkToken method before each API call. It should create a new access token as needed.
Added
You'll need to debug to see what's happening. Is the checkToken method obtaining a new access token after 50 minutes (it should be using a 10 minute buffer time). Is the new access token being used?

Resources