I am trying to authenticate using the Azure Storage emulator's fixed account/key used for the Azure storage emulator Shared Key authentication.
When sending an anonymous request I get the correct response
but when adding Authorization Header I get:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<error xmlns="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
<code>InvalidAuthenticationInfo</code>
<message xml:lang="en-US">Authentication information is not given in the correct format. Check the value of Authorization header.
RequestId:6d2cc79e-6bce-451c-a6f0-f10e0876f640
Time:2019-07-29T19:22:48.6402756Z</message>
</error>.
This is the key-value pair for the Authorization header:
Any idea on how to resolve this? I have followed documentation but no luck.
Considering you're using a Shared Access Signature (SAS) URL, you don't need to add Authorization header as authorization information is already included in your SAS URL (sig part of your URL).
One thing that you may want to do is change the value of Accept header and set its value to application/json;odata=fullmetadata.
Authorization header comes into picture when you don't use SAS. I noted that you're simply passing your account key as part of your authorization header. That won't work. You will actually need to compute the authorization header. Please see this link for more details: https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key.
Related
I have requirement where it has to be done programmatically using POSTMAN REST API, where I have to upload a file/blob to Azure storage account and retrieve the unique URL of the specific file that I have uploaded, and I have to share that URL to third party so that they can view it on browser.
This is what I have done in the POSTMAN
Request:
PUT https://{storage-account-name}.blob.core.windows.net/{container-name}/{file-name}{SAS-token}
Headers:
x-ms-version: 2020-04-08
x-ms-blob-type: BlockBlob
x-mock-response-name: Upload Blob
Body: Attached a file from my local
Response:
I have received 200 code and file is successfully uploaded. However, in the response headers I don't see any URL or unique SAS token that I can share to my third-party client.
I have also tried adding se and sp to sas token, I got the below error
AuthenticationFailed
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:65282b4e-401e-0050-2337-43ee90000000 Time:2023-02-18T01:20:28.3522177Z
**Signature did not match. String to sign used was r 2023-02-18T09:12:15Z /blob/storage-account-name/container-name/file-name.txt 2021-06-08 b **
Note: We don't want to generate SAS token manually from Azure portal for each file and construct the URL and share it to the client due to high traffic coming in. Once it is successful using POSTMAN. I have to implement the same in IBM App Connect enterprise, ESQL coding*
All the suggestions are much appreciated. Thank you in advance.
Retrieve the unique URL of the specific file that I have uploaded programmatically and share that URL with third party so that they can view it on browser.
In addition to the se and sp parameters, the following parameters are required to construct the correct SAS URL:
signed version (sv)
signed resource (sr)
signature
Your error message says that the signature does not match the rest of the URL. Signature a hash-based message authentication code (HMAC) that you compute over the string-to-sign and key by using the SHA256 algorithm, and then encode by using Base64 encoding
You can find how to construct the string-to-sign and signature depending on the version on this documentation page.
Postman has a built-in JavaScript library that can help you to calculate HMAC:
CryptoJS.HmacSHA1("string-to-sign", "key").toString()
I use azure-sdk-for-js (NodeJS).
Particularly - #azure/storage-blob#12.6.0.
I have a service which generates SAS tokens and they expire in few minutes. I want somehow request new tokens after previous expire. And this should be done even in the middle of operation. Because when I upload big file to blob, in the middle SAS token expires and upload fails.
I have a worked example of what I need, but with EventHub.
I create event hub client with:
new EventHubProducerClient(eventHubHost, eventHubName, sasGenerator)
And sasGenerator is emplementation of TokenCredential. It returns generated AccessToken (which have SAS token and expiresOnTimestamp). And if I got it correctly, EventHubProducerClient use my sasGenerator to refresh tokens when needed.
I found that BlobServiceClient have similar argument credential which can have type of TokenCredential. But the same approach as with EventHub doesn't work:
new BlobServiceClient(blobHost, sasGenerator)
Example of Error:
RestError: Server failed to authenticate the request. Please refer to the information in the www-authenticate header
I also was able to use generated SAS token with AnonymousCredential and it works. But I'm not able to upload big file to blob because the token expires earlier.
Please check the below points ,if they can be worked around
The error Server failed to authenticate the request. Please refer to the information in the www-authenticate header possibly may be due to an issue with your account name/key stored in the the config file or connection string.
It may be due to permissions not in correct order .See Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. And valid permission order.
Came across this Article on how to inject new SAS for an ongoing uploading .
The scenario provides sample to request a new SAS token during the uploading instead of starting a new upload.
SEE:
work-with-shared-access-signatures
Best practices using sas
I am trying to make a REST call to Azure Storage using the following code.
But It shows following error:
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\n' +
'RequestId:11c07be7-301e-0003-556f-42091d000000\n' +
'Time:2021-05-06T11:59:40.1049759Z</Message>
<AuthenticationErrorDetail>Audience validation failed. Audience did not match.</AuthenticationErrorDetail>
</Error>
I have already assigned roles:
And have API permissions set:
But still this error. Can anyone help?
The audience of your access token is not correct. The aud(audience) should look like https://xxxx.blob.core.windows.net.
Make sure the scope is https://{account-name}.blob.core.windows.net/user_impersonation when requesting for access token.
I got this error trying to get an auth token from Sharepoint REST api. My SP is cloud based and I am using Postman to test the requests, as a previous attempt similarly ran into a dead end when much troubleshooting back and forth with Msoft lead no where .. Anyway, I have the following error and I was wondering if anyone could help me figure out what it is or how I can troubleshoot this issue.
error_description: "AADSTS50169: The realm 'realm' is not a configured realm of the current service namespace"
error_codes : 50169
I followed this tutorial
Thanks!
Edit: I went through and started again, this tut seems to be working I guess I may have missed a step (my guess is I didn't correctly configure the app permissions with xml when creating the app)
To do authorization of SharePoint online and use REST API via Postman, here is a solution for your reference:
First: get security Token
Access [https://login.microsoftonline.com/extSTS.srf] via Http Post method. The content of the http request is as follows.
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
utility-1.0.xsd">
<s:Header>
<a:Action
s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://login.microsoftonline.com/extSTS.srf</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:UsernameToken>
<o:Username>[username]</o:Username>
<o:Password>[password]</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address>[endpoint]</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
The demonstration screenshot in Postman:
And the response content will include a security token as below, we can use this security token to get Access Token of SharePoint.
Second: get Access Token
Here i show you how to get access token of SharePoint online using the security token and SharePoint Rest API.
Access [https://yourdomain.sharepoint.com/_forms/default.aspx?wa=wsignin1.0] via http Post method. The content of the request is the security token that we have got above as below.
And the response as below:
We can see that there are two cookie, rtFa and FedAuth in response header, and these two cookie need to be added to the request in subsequent request.
Third: get Request Digest
Access [https://yourdomain.sharepoint.com/_api/contextinfo] via http Post method with that two cookies which we have got above.
And the response as below:
This is the final Token we want!
Then we can use REST API of SharePoint, we only need to add this token and the previous two cookie, as shown in the following figure.
I'm trying to create a table using this operation:
https://msdn.microsoft.com/en-us/library/azure/dd135729.aspx
with a json request body. However, all my efforts are rejected with the following response:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<error xmlns="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
<code>JsonFormatNotSupported</code>
<message xml:lang="en-US">JSON format is not supported.
RequestId:41192a52-0002-007b-5334-b57662000000
Time:2016-05-23T20:48:17.4360778Z</message>
</error>
The error is mentioned here:
https://msdn.microsoft.com/en-us/library/azure/dd179438.aspx
But that's all I can find
Here's what I'm sending:
http://requestb.in/1l9sye21?inspect#1jmf39
I think the problem is that you need to add the x-ms-version header:
x-ms-version: 2015-04-05
This is required when using Shared Key / Shared Key Lite auth for the Table Service. See https://msdn.microsoft.com/en-us/library/azure/dd894041.aspx for more information.
Adding to Adam's answer: You need to specify Storage Service Versions in requests when authenticated.
For requests using Shared Key or Shared Key Lite, you must pass the x-ms-version header on the request.
For Requests using a Shared Access Signature (SAS), the SignedVersion (sv) parameter specifies the service version to use to authorize and authenticate.
See https://msdn.microsoft.com/en-us/library/azure/dd894041.aspx for more details.
The storage service version used to authenticate with may be incompatible with the version used to process the request, which will lead to some features such as json not available, thus the REST request fails with error (415) JSON format is not supported..
Refer to https://github.com/Azure/azure-storage-net/issues/32 for some information, though it's with SAS rather than SKA.