Giters

Azure / Azurite

A lightweight server clone of Azure Storage that simulates most of the commands supported by it with minimal dependencies

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Bearer Challenge Support for Azurite

SamarthMayya opened this issue · comments

commented

Which service(blob, file, queue, table) does this issue concern?

Blob

Which version of the Azurite was used?

v3.29.0

Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)

npm

What's the Node.js version?

20.11.0

This is a feature request.

I'm from Azure Archive Storage, and we have a feature where we obtain a token from dSTS (which is a token issuing authority), and one crucial step before obtaining the token is to perform a bearer challenge on the blob, so that we know which authority to call.

For Azurite to be integrated into our functional tests, we need to be able to perform the bearer challenge on Azurite blobs as well.

For more context, if we want to be able to get a token so that we can perform Blob API calls on the blob, then first we need to perform a bearer challenge on the blob. Bearer challenge is basically a HTTP request made to the blob, with some special headers, in order to discover the authority which we should obtain the token from, and the scope that the token should contain.

If suppose we have a blob, say "https://account1.blob.core.windows.net/blob1", and we want to get the bearer challenge response for this blob. Suppose the authority from where we should get the DSTS Token is say "https://region1-dsts.dsts.core.windows.net", and the scope included in the token should be "https://stamp1.stamp-fe.store.preprod.core.windows.net/"

Then, following is the contract for bearer challenge:

RequestUrl: https://account1.blob.core.windows.net/blob1
Headers for request (additional ones):
Authorization-dSTS=Challenge
x-ms-version=2021-08-06

Response Status Code: 401 Unauthorized
Response Headers (additional ones):
WWW-Authenticate-dSTS="Bearer authorization_uri=https://region1-dsts.dsts.core.windows.net/[/dstsv2/7a433bfc-2514-4697-b467-e0933190487f](https://uswest-passive-dsts.dsts.core.windows.net/dstsv2/7a433bfc-2514-4697-b467-e0933190487f) resource_id=https://stamp1.stamp-fe.store.preprod.core.windows.net/"

Is there a way for this contract to be implemented in Azurite?

commented

@SamarthMayya

To implement the 401 bearer Challenge, you can:

  1. Define the error class for 401, you can refer the storage error definition.
  2. Modify the Oauth authentication code , and return the 401 error when the incoming request is DSTS and should return bearer Challenge.

Azurite welcome contribution!
It would be great if you can raise a PR to add the support after the feature is GA release in public Azure Storage. (you can run you Azurite from your local code before that.)

commented

@blueww Once the PR is raised for these changes, is it possible to have another release branch, and hence another npm release separately for this? Basically we wanted a way to use those changes for our local testing before we push any changes.

If not, then is there a way to publish this to Azure DevOps, and we can consume that build of Azurite from there?

commented

@SamarthMayya

We can consider taking the PR after the feature is public GA released in storage server in all regions.
Before that, Azurite is open source, you can build/handle your own private Azurite package.