Secure Azure Storage API

Overview

AAD App Registration

  • Decide if you want to allow users to sign in only if they belong to your organization.
  • Request scope permissions. For example, “user.read” scope.
  • Define scopes that define access to your web API. These are the scopes that you define.
  • Share a secret with the Microsoft identity platform that proves the app’s identity.

Generate Code

dotnet new webapi -au SingleOrg -o SecureApi
cd SecureApi
dotnet add package Azure.Identity
dotnet add package Azure.Storage.Blobs
Options:
-au|--auth
The type of authentication to use
None - No authentication
IndividualB2C - Individual authentication with Azure AD B2C
SingleOrg - Organizational authentication for a single tenant
Windows - Windows authentication
Default: None

Develop Code From Local

  • Update .vscode/launch.json, “ASPNETCORE_ENVIRONMENT”: “Local”
  • Add appsettings.Local.json file, and update it with actual values for local development only
  • Leave appsettings.json with place holder values
  • Add appsettings.Local.json file to .gitignore
  • git reset appsettings.Local.json
    (so that won’t commit the file and won’t push it to repo)
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "need to update xyz.onmicrosoft.com",
"TenantId": "need to update ",
"ClientId": "need to update ",
"Scopes": "ToDoList.Read ToDoList.Write",
"CallbackPath": "/signin-oidc"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"AzureStorage": {
"AcctName": "need to update tbd",
"ContainerName": "need to update tbd"
}
}

Customize Code

namespace SecureApi;
public class MyBlobFile
{
public string? BlobFile { get; set; }
public DateTimeOffset? LastModified { get; set; }
}

Validation

C:\WINDOWS\system32>az login --scope api://<api service app registration client id>/ToDoList.Read api://<api service app registration client id>/ToDoList.Write
C:\WINDOWS\system32>az account get-access-token --scope "api://<api service app registration client id>/ToDoList.Read api://<api service app registration client id>/ToDoList.Write"
{
"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs....",
"expiresOn": "2022-06-10 23:53:19.000000",
"subscription": "24c9c37c-bf59-4b84-907c-43819602e881",
"tenant": "9b2ec8d7-37b8-4aac-acd2-9ed0acfb1c5a",
"tokenType": "Bearer"
}
{
"aud": "api service app registration client id",
"iss": "https://login.microsoftonline.com/<tenant id>/v2.0",
...
"scp": "ToDoList.Read ToDoList.Write",
...
"ver": "2.0"
}
$ curl -k -X 'POST'  'https://localhost:7249/MyBlobFile'   -H 'accept: text/plain'  -H 'Content-Type: application/json' -H 'Authorization: bearer eyJ0eXAiOiJKV1Q....'  -d '{  "blobFile": "dummy.txt"}'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 45 100 18 100 27 1 1 0:00:27 0:00:14 0:00:13 4
dummy file line #1

Conclusion

References

--

--

--

All blogs are strictly personal and do not reflect the views of my employer, focus on cloud networking, cloud security and MS identity platform.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Adding an idle animation to a player character in Unity

5 Coding Best Practices That Will Keep You From Looking Like a Noob

Magento 2 performance of the Helly Hansen eCommerce hosted on the Magento Commerce Cloud

Slingplayer For Mac Os Mojave

Declaration of Homestead

XSN CORE UPDATE | March 2021

We Must Draw the Line

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cloud Journey

Cloud Journey

All blogs are strictly personal and do not reflect the views of my employer, focus on cloud networking, cloud security and MS identity platform.

More from Medium

Decoupled and Scalable Approach To File Parser in Azure

Programmatically connect to Azure KeyVault

.NET, Docker and Azurite

Deploy your WebApp to Azure App Service through Local Git.