-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UserDelegationKey fails with 500 #2420
Comments
OK, issue seems to be that the claims "tid" and "oid" were missing from by dummy auth token. These should probably be validated as part of the token validation. For reference here is a TokenCredential which works: namespace My.Test.Framework;
using System;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Security.Cryptography;
using System.Threading;
using System.Threading.Tasks;
using Azure.Core;
using Microsoft.IdentityModel.Tokens;
public class SelfSignedTokenCredential : TokenCredential
{
private readonly TimeSpan _expiration = TimeSpan.FromHours(1);
private readonly string _tenant = "aaaaaaaa-aaaa-aaaa-0000-aaaaaaaaaaaa";
private readonly string _issuer = $"https://sts.windows.net/aaaaaaaa-aaaa-aaaa-0000-aaaaaaaaaaaa/";
private readonly byte[] _secret = RandomNumberGenerator.GetBytes(32);
public override async ValueTask<AccessToken> GetTokenAsync(
TokenRequestContext requestContext,
CancellationToken cancellationToken)
{
return GetToken(requestContext, cancellationToken);
}
public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
{
var audience = requestContext.Scopes.Length > 0 ? requestContext.Scopes[0] : "default-audience";
audience = audience.Replace("//.default", "/");
var expires = DateTimeOffset.UtcNow + _expiration;
var token = GenerateJwtToken(audience, DateTime.UtcNow - TimeSpan.FromMinutes(5), expires.UtcDateTime);
return new AccessToken(token, expires);
}
private string GenerateJwtToken(string audience, DateTime notBefore, DateTime? expires)
{
var securityKey = new SymmetricSecurityKey(_secret);
var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
return new JwtSecurityTokenHandler().CreateEncodedJwt(
issuer: _issuer,
audience: audience,
subject: new ClaimsIdentity(new []
{
new Claim("oid", "c0ffee00-c0ff-eeee-0000-c0ffee000000"),
new Claim("tid", _tenant),
}),
notBefore: notBefore,
expires: expires,
issuedAt: null,
signingCredentials: credentials);
}
} |
Would you please help to look at this issue? |
Object ID and tenant ID are required to generate a user delegation key, they should always be included in the token credentials to access Azure Storage Service. Azurite's behavior is expected. |
@EmmaZhu-MSFT, the issue is not that these fields are required, it is that
they are not validated as part of the token validation.
When they are missing, the user delegation fails with an internal error
rather than a proper error message.
…On Thu, 12 Sept 2024 at 03:06, EmmaZhu-MSFT ***@***.***> wrote:
Object ID and tenant ID are required to generate a user delegation key,
they should always be included in the token credentials to access Azure
Storage Service. Azurite's behavior is expected.
—
Reply to this email directly, view it on GitHub
<#2420 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACSTYSUJA4FJTCFUVRRTH4TZWDZJTAVCNFSM6AAAAABKHZE4TWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNBVGEYTCNRVGY>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
With a token with invalid tenant id or object id, Azure would return 401 error like following:
401 error is for bearer token challenge logic, which Azurite cannot support. We'd need to discuss on Azurite's behavior when tid or oid is missing. |
I don't follow your last point. The following file already includes various verifications on the bearer token claims: It seems to me all that is missing are some checks there to ensure tid and oid are set. |
We definitely should check whether tid and oid is set. The above message is just about what kind of message we should report. We'll discuss internally about it, and will update in this issue with any progress. |
Which service(blob, file, queue, table) does this issue concern?
blob
Which version of the Azurite was used?
Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)
npm
What's the Node.js version?
node --version
v20.12.1
What problem was encountered?
Try to generate user delegated key, see log below.
Steps to reproduce the issue?
If possible, please provide the debug log using the -d parameter, replacing <pathtodebuglog> with an appropriate path for your OS, or review the instructions for docker containers:
Please be sure to remove any PII or sensitive information before sharing!
The debug log will log raw request headers and bodies, so that we can replay these against Azurite using REST and create tests to validate resolution.
Have you found a mitigation/solution?
not yet
The text was updated successfully, but these errors were encountered: