Search code examples
c#azureazure-active-directoryblazorazure-cosmosdb

CosmosDB access only specific records for user

I'm trying to achieve completely "serverless" status for my app with some simple CRUD operations, so my current approach is Blazor WASM on front-end and CosmosDB as records storage. I've configured AAD (Azure Active Directory) authentication in my Blazor App, and as for now, I'm wondering, if there is any way to to restrict CosmosDB client in Blazor to read only records which belongs to current user specifically (each record has UserId field)? So, the main thing that I want to know, if it is possible at all? Because I've found a plenty of different documentation, but because of lack of experience with Azure, I can't completely figure it out.

Thank you in advance!

P.S. The main solution I would like to approach - completely avoid any backend (API/servers/Azure Functions), because I really want to make it just Client App <-> CosmosDB, and AFAIK Firebase with JavaScript FrontEnd allows to do such a trick, but I'm interested in Azure-specific solution here

Solution

  • I don't have a simple walkthrough for Blazor, but overall the process would be similar to this guidance: Authenticate Users with an Azure Cosmos DB Document Database and Xamarin.Forms but it requires setup of an API service to broker the connections, which you specifically have asked to avoid.

    If you didn't use an automated Resource Token Broker then in your logic somewhere you would need to store a map of somekind to resolve the Cosmos DB Resource Tokens for the logged in user.

    In the following guidance, replace Xamarin with Blazor and Facebook with Azure AD:

    typical resource token process

    1. On login, the Blazor WASM contacts Azure App Service to initiate an authentication flow.
    2. Azure App Service performs an Open Auth flow with Azure AD. After the authentication flow completes, the Blazor WASM receives an access token.
    3. The Blazor WASM uses the access token to request a resource token from the resource token broker.
    4. The resource token broker uses the access token to request the user's identity from Azure AD. The user's identity is then used to request a resource token from Cosmos DB, which is used to grant read/write access to the authenticated user's partitioned collection.
    5. The Blazor WASM uses the resource token to directly access Cosmos DB resources with the permissions defined by the resource token.