I want to mimic the features of a secure FTP Server, such that the end user would have to present credentials or a token before the end user can download a file.
How can this be accomplished using blob storage? Shared Access Signatures does not work, as once you have the URL you have access to the file?
I want a feature such that the user either enters his/her credentials or presents token before the download. Any Ideas?
The recommended pattern is to write your own service that authenticates the user, checks if they're authorized for the requested resource, and then returns either:
the requested resource:
or a Shared Access Signature for the requested resource:
http://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/#when-should-you-use-a-shared-access-signature
Related
I have created a PowerBI report with embedded videos using the HTML customer visual. The videos are hosted on an Azure Blob Storage so I have generated a SAS token that I have added to the video URL in my data.
However, I would look to increase the security of Blob Storage and find a better solution to avoid having a SAS token out there for everyone to use and with limited control over.
For example, would it be possible to access a token provider that would generate an access token on the fly if a set of credentials is correct? This way, I would be able to control the access to the videos.
I looked into Shared Access Signature but was not able to implement it from PowerBi. Any other ideas are welcome!
I tried to reproduce the same in my environment and got the results like below:
To avoid a SAS token accessible to everyone, try generating the access token by specifying user's IP address or IP Range who are allowed to access:
If the user's IP address is not in the range, the user will get the below error while accessing the SAS URL:
Would it be possible to access a token provider that would generate an access token on the fly if a set of credentials is correct.
You can make use of Authorization-Code Flow to generate the access token which will ask for the Users interaction while generating the token.
Make use of the below Parameters to generate the access token:
GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:*****
grant_type:authorization_code
scope:scope
redirect_uri:redirect_uri
code:code
A sign-in screen will appear to validate the Users credentials:
Access token got generated successfully like below:
We have a backend service that can return a json result (Elasticsearch result) or an interactive browser web page (Kibana) based on the route. This service is gated behind an API Management service. Our developers need to be able to access the web page (Kibana). We are currently using a client certificate and we have it set to require this in our API definition. When browsing to the path in the browser, the user is prompted for the cert and the connection is made.
I would like to get rid of having to manage the certificate and instead use AAD to allow only users in a specific group to be able to access. I understand how to do this when making an API call. Is it possible to also have an experience similar to the cert where if the user is not logged in, they are prompted to log in, and then if they are in the correct group, access would be allowed?
Thanks
I imagine you want to enforce authentication at APIM level and not in Kibana. For that you'll have to handle two flows:
Initial flow, when non authenticated user requests URL, you should of check for persistent auth, possible in Cookie header and if not found - redirect user to login.microsoft.com.
Returning flow, when Azure AD redirects user back to APIM with a token, you'll need to validate that token and add it to Set-Cookie header, better encrypted.
And finally when any call is made also check and validate the cookie to see if it has expired.
I am using Azure AD, in which access token comes to teh redirect URL when the user is successfully signed in into their Microsoft account. Can we avoid getting this token in the URL, and get it somewhere else? Or is there any different approach required for this?
As if someone gets that token, they can hit the backend server of my application and can get data.
Your concern is well-founded, but receiving a token in the redirect URI is central to how OAuth flows work, regardless of whether that's Azure AD or any other OAuth IdP.
From an OAuth redirect URI overview:
Because the redirect URL will contain sensitive information, it is critical that the service doesn’t redirect the user to arbitrary locations.
The best way to ensure the user will only be directed to appropriate locations is to require the developer to register one or more redirect URLs when they create the application.
You're redirecting them to a source you control, using an encrypted channel, and that's considered good enough for current Internet security operations.
I wonder if it is possible to do:
- I have a blob storage with some html webpage. That storage is private. I cannot be set as public access. Only user with tokens may access it.
It is possible to access single files using SAS token based authentication generating URI and a query string, but that only works for 1 file. I.E. I access a index.html page, but when I click a link on that page, access token is not passed, so I get 403 error for that subpage.
Is it possible to make it such, that token would allow all the subpages to access?
I wonder if it is even achievable.
Assuming:
By access token you mean Shared Access Signature (SAS) token and
All the files are in the same private container
It is certainly possible to access sub pages.
For that, first thing you would need to do is create the SAS token on the blob container and not on an individual file (index.html in your case).
Since the page is an HTML page and not generated dynamically, what you would need to do is when someone clicks on a link to a subpage, using JavaScript you would need to append that SAS token to the link.
For example, if there's a subpage called index2.html and when someone clicks on the link for that, using JavaScript you would read the query string from the URL for your main page (which is essentially the SAS token), append that SAS token to the link and then redirect the user to that link.
I was looking into the Amazon S3 documentation and I realized that when a permanent IAM user would be added, an AccessID and a SecretID would be generated. However, when a temporary user would be added, an AccessID, a SecretID and a token would be generated. This token would have to be passed as a parameter in the ensuing requests. The details can be found here.
Why exactly are tokens used? What is the need/usecase that it satisfies?
Thanks.
Did you see the Amazon documentation on Use Cases for Granting Temporary Access?
I've used this sort of temporary access with a music service to grant web and mobile users temporary access to music files stored on S3. I generated a custom url for users for each S3 file -- the URL would expired immediately, so it couldn't be shared with others.