I am struggling to figure out a way to standardize JWT creation across a product.
Following are the two implementations that i have come across
Uses JwtSecurityToken where audience can be null and in this implementation, we have used a clientspecific GUID as a audienceID
string audienceId = data.Properties.Dictionary.ContainsKey(AudiencePropertyKey) ? data.Properties.Dictionary[AudiencePropertyKey] : null;
if (string.IsNullOrWhiteSpace(audienceId)) throw new InvalidOperationException("AuthenticationTicket.Properties does not include audience");
ClientDataModel audience = ClientStore.FindAudience(audienceId);
string symmetricKeyAsBase64 = audience.Base64Secret;
var keyByteArray = TextEncodings.Base64Url.Decode(symmetricKeyAsBase64);
var signingKey = new HmacSigningCredentials(keyByteArray);
var issued = data.Properties.IssuedUtc;
var expires = data.Properties.ExpiresUtc;
//Generate Token based on the Passed information as Parameters
var token = new JwtSecurityToken(_issuer, audienceId, data.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingKey);
var handler = new JwtSecurityTokenHandler();
//Write Token in the JWT Format
var jwt = handler.WriteToken(token);
return jwt;
Using SecurityTokenDescriptor where AppliesToAddress is a must and throws an error in case it is not provided. As per oauth specification, audience is a optional parameter
var tokenHandler = new JwtSecurityTokenHandler();
var now = DateTime.UtcNow;
string symmetricKeyAsBase64 = ConfigurationManager.AppSettings["AudienceSecret"];
var keyByteArray = TextEncodings.Base64Url.Decode(symmetricKeyAsBase64);
var signingKey = new HmacSigningCredentials(keyByteArray);
// Token Creation
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Name, ""),
}),
TokenIssuerName = ConfigurationManager.AppSettings["Issuer"],
AppliesToAddress = ConfigurationManager.AppSettings["AppliesToAddress"],
Lifetime = new Lifetime(now, now.AddMinutes(Int32.Parse((string)ConfigurationManager.AppSettings["TokenValidFor"]))),
SigningCredentials = signingKey
};
JwtSecurityToken token = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken;
return token.RawData;
Can someone suggest which one to use?
Related
I am trying to create a cosmos db partition using the below sample. I am using managed identity to authenticate my requests.
I am using Azure.ResourceManager v1.3.1 and Azure.ResourceManager.CosmosDB v1.0.1
While trying to run below snippet, I am getting:
Azure.RequestFailedException: 'Message: {"code":"BadRequest","message":"Message:
{"Errors":
["A Partition key definition is not specified in the request."]}
I am using .NET Framework 4.7.2
I am not sure how we to pass the partition key definition while creating a cosmos DB SQL Container. Can anyone please help here. Thanks.
private static async Task TestStub1()
{
var subscriptionId = "xxx";
var resourceGroupName = "xxx";
var accountName = "xxx";
var databaseName = "xxx";
var containerName = "xxx";
var throughputProperties = ThroughputProperties.CreateAutoscaleThroughput(4000);
var accountEndpoint = "xxx";
var location = AzureLocation.EastUS;
try
{
var tokenCredential = new DefaultAzureCredential();
var armClient = new ArmClient(tokenCredential);
var dbAccountIdentifier = new ResourceIdentifier($"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}");
var dbAccount = armClient.GetCosmosDBAccountResource(dbAccountIdentifier);
var databases = dbAccount.GetCosmosDBSqlDatabases();
var cosmosDBSqlDatabaseResourceInfo = new CosmosDBSqlDatabaseResourceInfo(databaseName);
var cosmosDBSqlDatabaseCreateOrUpdateContent = new CosmosDBSqlDatabaseCreateOrUpdateContent(location, cosmosDBSqlDatabaseResourceInfo);
var cosmosDBSqlResource = await databases.CreateOrUpdateAsync(Azure.WaitUntil.Completed, databaseName, cosmosDBSqlDatabaseCreateOrUpdateContent);
if (cosmosDBSqlResource.HasValue)
{
var cosmosDBSqlContainers = cosmosDBSqlResource.Value.GetCosmosDBSqlContainers();
var cosmosDBContainerPartitionKey = new CosmosDBContainerPartitionKey();
cosmosDBContainerPartitionKey.Kind = CosmosDBPartitionKind.Hash;
var cosmosDBSqlContainerResourceInfo = new CosmosDBSqlContainerResourceInfo(containerName);
cosmosDBSqlContainerResourceInfo.PartitionKey = cosmosDBContainerPartitionKey;
var cosmosDBSqlContainerCreateOrUpdateContent = new CosmosDBSqlContainerCreateOrUpdateContent(location, cosmosDBSqlContainerResourceInfo);
var cosmosDBSqlContainer = await cosmosDBSqlContainers.CreateOrUpdateAsync(WaitUntil.Completed, containerName, cosmosDBSqlContainerCreateOrUpdateContent);
}
}
catch (Exception ex)
{
throw;
}
}
This is a sample for Microsoft.Azure.Management.CosmosDB but should be the same.
Assuming a string parameter of partitionKey this is how you create a partition key definition.
PartitionKey = new ContainerPartitionKey
{
Kind = "Hash",
Paths = new List<string> { partitionKey },
Version = 1 //version 2 for large partition key
},
More samples like this at Azure Management Libraries for .NET for Azure Cosmos DB
I'm trying to make a downloader attached to the service bus that is going to download the files from blob storage. But I'm having some problems with generating the SAS token manually, please se the error message below.
I'm getting error <AuthenticationErrorDetail>Signature fields not well formed.</AuthenticationErrorDetail>
private static string createToken(string resourceUri, string keyName, string key)
{
var now = DateTime.UtcNow;
TimeSpan sinceEpoch = now - new DateTime(1970, 1, 1);
var time = 60 * 2;
var expiry = Convert.ToString((int)sinceEpoch.TotalSeconds + time);
var expiryDateString = now.AddSeconds(time).ToUniversalTime().ToString("u");
string stringToSign = HttpUtility.UrlEncode(resourceUri) + "\n" + expiry;
HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(key));
var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
var sasToken = String.Format(
CultureInfo.InvariantCulture,
"{0}?sp={1}&st={2}&se={3}&spr={4}&sv={5}&sr={6}&sig={7}",
resourceUri,
"r",
DateTime.UtcNow.ToUniversalTime().ToString("u"),
expiryDateString,
"https",
"2019-02-02",
"b",
HttpUtility.UrlEncode(signature));
return sasToken;
}
Is it the stringToSign? Or signature as a whole? I'm a but unusre, to maybe I need to use the HttpUtility.UrlEncoder on all fields?
Please try the code below, it generates a working sas token for me:
static void Main(string[] args)
{
string resourceUri = "https://xx.blob.core.windows.net/test1/1.txt";
string account_name= "storage account name";
string key = "storage account key";
string s1 = createToken(resourceUri,account_name,key);
Console.WriteLine(s1);
Console.ReadLine();
}
private static string createToken(string resourceUri, string account_name, string key)
{
var accountName = account_name;
var accountKey = key;
var start = DateTime.UtcNow.AddHours(-2).ToString("yyyy-MM-ddTHH:mm:ssZ");
var end = DateTime.UtcNow.AddHours(2).ToString("yyyy-MM-ddTHH:mm:ssZ");
var permission = "rwdlac";
var serviceType = "b";
var resourceTypes = "sco";
var protocol = "https";
var serviceVersion = "2019-02-02";
//here is the difference from your code.
var stringToSign = string.Format("{0}\n{1}\n{2}\n{3}\n{4}\n{5}\n{6}\n{7}\n{8}\n",accountName, permission,serviceType,resourceTypes,start,end,"",protocol,serviceVersion);
HMACSHA256 hmac = new HMACSHA256(Convert.FromBase64String(accountKey));
string signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
var sasToken = string.Format("?sv={0}&ss={1}&srt={2}&sp={3}&se={4}&st={5}&spr={6}&sig={7}", serviceVersion,
serviceType, resourceTypes, permission, end, start, protocol, HttpUtility.UrlEncode(signature));
var urlToListTables = resourceUri + sasToken;
return urlToListTables;
}
Please let me know if you still have any issues.
I'm using ADLS Gen2 using rest api Path-Update i'm trying to update data into already created created blank file into ADLS.
but whenever i'm trying to use the API i'm getting below response from API.
{StatusCode: 202, ReasonPhrase: 'Accepted'}
but still the file will be empty.
string requestUri = "https://XXXXXXX.dfs.core.windows.net/XXXXX/abc.txt?action=append&position=0";// &retainUncommittedData=false&close=true";
dynamic method = new HttpMethod("PATCH");
dynamic request = new HttpRequestMessage(method, requestUri)
{
Content = new StringContent("\"requestBody\":\"test\"")
};`enter code here`
// Add some defined headers
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authenticationToken);
request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/octet-stream"));
// Add some other headers or custom headers
request.Headers.TryAddWithoutValidation("Content-Length", "0");
dynamic httpClient = new HttpClient();
dynamic result = httpClient.SendAsync(request).Result;
i expect the data should be updated in file but now i'm getting 202 Accepted as a response code but file is not updated with data
also i tried append with flush operation below is the code i'm getting 405 error
string requestUri = "https://XXXXXX.dfs.core.windows.net/XXXXX/abc.txt?action=append&position=0";// &retainUncommittedData=false&close=true";
var method = new HttpMethod("PATCH");
var request = new HttpRequestMessage(method, requestUri)
{
Content = new StringContent("\"requestBody\":\"test\"")
};
// Add some defined headers
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authenticationToken);
request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("text/plain"));
// Add some other headers or custom headers
// request.Headers.TryAddWithoutValidation("Content-Length", "0");
var httpClient = new HttpClient();
var result = httpClient.SendAsync(request).Result;
string requestUri1 = "https://XXXXX.dfs.core.windows.net/XXXXXX/abc.txt?action=flush&position=0";//&retainUncommittedData=false&close=true";
using (HttpClient httpClient1 = new HttpClient())
{
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authenticationToken);
HttpResponseMessage response = (httpClient.PutAsync(requestUri1, null)).Result;
}
Update:
If the files in adls gen2 is empty, you can use the method below:
static void Main(string[] args)
{
var auth = new AzureServiceTokenProvider();
const string url = "https://storage.azure.com/";
string token = auth.GetAccessTokenAsync(url).Result;
string requestUri = "https://xxx.dfs.core.windows.net/t11/c.txt?action=append&position=0";
var method = new HttpMethod("PATCH");
string upload_string = "have a nice day!";
var request = new HttpRequestMessage(method, requestUri)
{
Content = new StringContent(upload_string)
};
// Add some defined headers
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("text/plain"));
var i = request.Content.AsString().Length;
Console.WriteLine(request.Content.AsString());
var httpClient = new HttpClient();
var result = httpClient.SendAsync(request).Result;
Console.WriteLine("append result status code: "+ (int)result.StatusCode);
//for flush
string requestUri_2 = "https://xxx.dfs.core.windows.net/t11/c.txt?action=flush&position="+upload_string.Length;
var request_2 = new HttpRequestMessage(method,requestUri_2);
using (HttpClient httpClient_2 = new HttpClient())
{
httpClient_2.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
HttpResponseMessage response = httpClient_2.SendAsync(request_2).Result;
Console.WriteLine("flush result status code: " + (int)response.StatusCode);
}
Console.ReadLine();
}
Test result as below, and I also check in azure, the data is flushed into the file.
Once you have received the 202 Accepted you can then call the action=flush and pass the position that you want the data to be flushed to. like below:
https://$STORAGE_ACCOUNT_NAME.dfs.core.windows.net/mydata/data/file1?action=flush&position=10
I am currently using an Umbraco library to extend the Authentication possibilities and enable back office authentication with Active Directory.
https://github.com/umbraco/UmbracoIdentityExtensions
After installing the library and following the blog post below, I was able to display an external login button, authenticate with Active Directory and add a user and external login to the Umbraco database.
https://www.jdibble.co.uk/blog/securing-umbraco-backoffice-with-azure-active-directory/
This then sends you back to the /umbraco login page in a continuous loop. As described by this blog post https://our.umbraco.org/forum/developers/extending-umbraco/75256-login-uisng-azure-ad-redirects-allways-to-login-page
Has anyone faced this issue and solved it? Or have any useful suggestions?
The code being used...
public static void ConfigureBackOfficeAzureActiveDirectoryAuth(this IAppBuilder app,
string tenant, string clientId, string postLoginRedirectUri, Guid issuerId,
string caption = "Active Directory", string style = "btn-microsoft", string icon = "fa-windows")
{
var authority = string.Format(
CultureInfo.InvariantCulture,
"https://login.microsoftonline.com/{0}",
tenant);
var adOptions = new OpenIdConnectAuthenticationOptions
{
SignInAsAuthenticationType = Constants.Security.BackOfficeExternalAuthenticationType,
ClientId = clientId,
Authority = authority,
RedirectUri = postLoginRedirectUri,
AuthenticationMode = AuthenticationMode.Passive,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async context =>
{
if (System.Diagnostics.Debugger.IsAttached)
System.Diagnostics.Debugger.Break();
var userService = ApplicationContext.Current.Services.UserService;
var stuff = (List<Claim>)context.JwtSecurityToken.Claims;
var email = stuff.FirstOrDefault(x => x.Type == "unique_name").Value;
var issuer = stuff.FirstOrDefault(x => x.Type == "iss").Value;
var providerKey = stuff.FirstOrDefault(x => x.Type == "sub").Value;
var name = stuff.FirstOrDefault(x => x.Type == "name").Value;
var userManager = context.OwinContext.GetUserManager<BackOfficeUserManager>();
var user = userService.GetByEmail(email);
if (user == null)
{
var writerUserType = userService.GetUserTypeByName("writer");
user = userService.CreateUserWithIdentity(email, email, writerUserType);
}
var identity = await userManager.FindByEmailAsync(email);
if (identity.Logins.All(x => x.ProviderKey != providerKey))
{
identity.Logins.Add(new IdentityUserLogin(issuer, providerKey, user.Id));
identity.Name = name;
var result = userManager.Update(identity);
}
},
}
};
adOptions.ForUmbracoBackOffice(style, icon);
adOptions.Caption = caption;
//Need to set the auth type as the issuer path
adOptions.AuthenticationType = string.Format(
CultureInfo.InvariantCulture,
"https://sts.windows.net/{0}/",
issuerId);
adOptions.SetExternalSignInAutoLinkOptions(new ExternalSignInAutoLinkOptions(autoLinkExternalAccount: true));
app.UseOpenIdConnectAuthentication(adOptions);
}
Working with the event hub and found something I find quite odd.
How can I send data to the eventhub acting as a device which i'm not.
private static Task<HttpResponseMessage> PostTelemetryAsync(string test)
{
var serviceNamespace = "dev-hub";
var hubName = "eventhub";
var url = string.Format("/{0}/publishers/testdevice/messages/", hubName);
// Create client.
var httpClient = new HttpClient
{
BaseAddress = new Uri(string.Format("https://{0}.servicebus.windows.net/", serviceNamespace))
};
var payload = JsonConvert.SerializeObject(test);
var sas = createToken("dev-hub", "anotherDevice", "IdmUSeHmcrLfjSfc2ssJVvLcsMIHM/uqG1xSLUIh5t4=");
httpClient.DefaultRequestHeaders.TryAddWithoutValidation("Authorization", sas);
var content = new StringContent(payload, Encoding.UTF8, "application/json");
content.Headers.Add("ContentType", "application/json");
return httpClient.PostAsync(url, content);
}
private static string createToken(string resourceUri, string keyName, string key)
{
TimeSpan sinceEpoch = DateTime.UtcNow - new DateTime(1970, 1, 1);
var week = 60 * 60 * 24 * 7;
var expiry = Convert.ToString((int)sinceEpoch.TotalSeconds + week);
string stringToSign = HttpUtility.UrlEncode(resourceUri) + "\n" + expiry;
HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(key));
var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
var sasToken = String.Format(CultureInfo.InvariantCulture, "SharedAccessSignature sr={0}&sig={1}&se={2}&skn={3}", HttpUtility.UrlEncode(resourceUri), HttpUtility.UrlEncode(signature), expiry, keyName);
return sasToken;
}
In the code above I´m generating a SAS token for the device anotherDevice but posting to the url ...publishers/testdevice/messages/. That is a different device.
The eventprocessor I´m using thinks that the data is sent from the testdevice but the SAS token is generated for anotherDevice.
Is it supposed to work like this? How can I use a SAS token for a different device to send data to the hub or am I missing something here?
The sas token it is to authorize your application to send data. You can have hundreads of different publishers all of them using the same sas token. Think as the authorization being this shared key that you distribute to your devices, you don't need to register the publishers before you send. Use the token just as a key to send metrics not as a way to register which device sent the data.