Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[storage] Add browser support for User Delegation key #21840

Closed
jeremymeng opened this issue May 11, 2022 · 3 comments
Closed

[storage] Add browser support for User Delegation key #21840

jeremymeng opened this issue May 11, 2022 · 3 comments
Assignees
Labels
Client This issue points to a problem in the data-plane of the library. feature-request This issue requires a new behavior in the product in order be resolved. Storage Storage Service (Queues, Blobs, Files)

Comments

@jeremymeng
Copy link
Member

Since the user delegation key can be created using the AAD token.

A desire scenario is that logged in users can directly access a blob (pdf, image, etc.) that they have permission to, using its url + SAS token from a user delegation key in the browser.

We'd need to enable this for browsers

There are already existing packages that do hmac computation in browsers. core-util also provides computeSha256Hmac

export { computeSha256Hash, computeSha256Hmac } from "./sha256";

@jeremymeng jeremymeng added Client This issue points to a problem in the data-plane of the library. feature-request This issue requires a new behavior in the product in order be resolved. Storage Storage Service (Queues, Blobs, Files) labels May 11, 2022
@jeremymeng jeremymeng changed the title Add browser support for User Delegation key [storage] Add browser support for User Delegation key May 11, 2022
@jeremymeng
Copy link
Member Author

@XiaoningLiu has a good point on security concern:

Note that, delegation key has longer life time (max 7 days) than a token (several hours). We treat tokens are safe in browser sessions because they are short and need to refresh permission to get new tokens. Leaking a token is controllable. However, leaking a delegation key makes the impact longer to max 7 days.

@jeremymeng
Copy link
Member Author

jeremymeng commented May 25, 2022

Could there be a way that we enforce an expiration date that is sooner for browser version?

Copy link

Hi @jeremymeng, we deeply appreciate your input into this project. Regrettably, this issue has remained unresolved for over 2 years and inactive for 30 days, leading us to the decision to close it. We've implemented this policy to maintain the relevance of our issue queue and facilitate easier navigation for new contributors. If you still believe this topic requires attention, please feel free to create a new issue, referencing this one. Thank you for your understanding and ongoing support.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale May 13, 2024
@github-actions github-actions bot locked and limited conversation to collaborators May 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Client This issue points to a problem in the data-plane of the library. feature-request This issue requires a new behavior in the product in order be resolved. Storage Storage Service (Queues, Blobs, Files)
Projects
None yet
Development

No branches or pull requests

2 participants