使用获得的oauth2令牌访问用户的Azure Blob存储 [英] Access Azure Blob storage of a user using oauth2 token obtained

问题描述

在Azure Blob存储中，我需要的是在用户登录其帐户时获取访问令牌，并通过使用此访问令牌执行列表/上传/下载用户Blob存储中的文件.在Dropbox/Google驱动器中执行). 使用给定的请求用户身份验证，我得到了代码

In Azure blob storage what I need is to get the access token when a user signs into his account, and by using this access token to perform list/upload/download the files in user blob storage.(Similar to what we can do in Dropbox/Google drive). Using the given request user authentication I am getting the code,

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=client_id&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fstorage.azure.com%2Fuser_impersonation&state=12345

然后使用以下请求代码获取令牌

And the code is used to get the token using the below request

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=client_id&scope=openid%20offline_access%20https%3A%2F%2Fstorage.azure.com%2Fuser_impersonation&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&grant_type=authorization_code&client_secret=client_secret

但是当我使用https://account_name.blob.core.windows.net/container_name?restype=container&comp=list调用获取列表请求时，我正在获取server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.如何使用获得的令牌访问Blob存储中的文件?我们可以使用python做到这一点吗?

But when I call get request to list using https://account_name.blob.core.windows.net/container_name?restype=container&comp=list I am getting server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. How to access the files in the blob storage using the token obtained? Can we do this using python?

推荐答案

如果要使用Azure AD访问Azure blob存储，请参考以下步骤:

If you want to access Azure blob storage with Azure AD, please refer to the following steps:

1. 注册Azure AD应用程序

1. Register Azure AD application

配置Azure AP复制

Configure Azure APplication

a.配置权限

a. Configure permissions

为用户配置RABC角色

Configure RABC role for the user

az role assignment create \
    --role "Storage Blob Data Contributor" \
    --assignee <email> \
    --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>

1. 获取令牌 一种.获取代码

1. Get token a. get code

https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize?
client_id=<>
&response_type=code
&redirect_uri=http://localhost:3000/
&response_mode=query
&scope=https://storage.azure.com/user_impersonation
&state=12345

b.获得令牌

Post     https://login.microsoftonline.com/<>/oauth2/v2.0/token
client_id=<>
&scope=https://storage.azure.com/user_impersonation
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=<>

调用Azure blob rest api

Get https://myaccount.blob.core.windows.net/mycontainer/myblob
Headers : 
            Authorization: Bearer <>
            x-ms-version: 2019-02-02

这篇关于使用获得的oauth2令牌访问用户的Azure Blob存储的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！