Search code examples
javaazurestorageazurite

Using OAuth to authenticate against Azurite with a Java SDK example

We needed to test our Azure code against something real, so we decided to use Azurite. However, Azurite's documentation documents well known test Connection Strings to be used. However, we soon hit a wall when trying to test our self signed SAS token using a user delegation key. This is because Azurite will only generate user delegation keys when OAuth over HTTPS is enabled.

While all that is documented just fine (a smaller nightmare really), there was ZERO documentation on generating an OAuth token that could be consumed by the Java SDK to authenticate against Azurite.

So how does one authenticate against Azurite using OAuth tokens?

Solution

  • This is unfortunately a poor design for Azurite's OAuth functionality, since OAuth tokens are one of the only ways to generate user delegation keys via Azurite (required to test self signed SAS tokens). Since a production token is accepted as is, I MITM'd my own production token, and reduced it down to the following anonymous token that is accepted by Azurite using the Java SDK:

    Header:

    {
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "foo",
  "kid": "foo"
}

    Payload:

    {
  "aud": "https://storage.azure.com",
  "iss": "https://sts.windows.net/foo/",
  "iat": 1734352522,
  "nbf": 1734352522,
  "exp": 2100000000,
  "acr": "1",
  "aio": "",
  "altsecid": "1:live.com:foo",
  "amr": [
    "pwd"
  ],
  "appid": "foo",
  "appidacr": "0",
  "email": "[email protected]",
  "family_name": "foo",
  "given_name": "foo",
  "groups": [
    "foo"
  ],
  "idp": "live.com",
  "idtyp": "user",
  "ipaddr": "127.0.0.1",
  "name": "foo",
  "oid": "foo",
  "puid": "",
  "rh": "foo",
  "scp": "user_impersonation",
  "sub": "",
  "tid": "foo",
  "unique_name": "live.com#[email protected]",
  "uti": "",
  "ver": "1.0",
  "xms_idrel": "16 5"
}

    Signature:

    invalid_signature

    Stitch them all together as a standard JWT token, by encoding each part in base64:

    <base64 version of header found above>.<base64 version of payload found above>.invalid_signature I would paste the entire token, but that would probably flag my account somewhere somehow. If you're using the Java SDK, here's what I have:

    val token = ""; // read the JWT token from somewhere;
val bsc = new BlobServiceClientBuilder();
...
bsc.credential(request -> Mono.just(new AccessToken(token, OffsetDateTime.MAX)));
...

    PS: This is a replica of my comment here: https://github.com/Azure/Azurite/issues/537#issuecomment-2545729784