EDIT 2: The following is the output of the Authorization error:
<?xml version=\"1.0\" encoding=\"utf-8\"?>
<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:34d738a5-101e-000d-5a14-ed5956000000\nTime:2021-01-17T21:07:38.6231913Z
</Message>
<AuthenticationErrorDetail>Signature did not match. String to sign used was cw\n2021-01-17T19:06:42Z\n2021-01-18T21:06:42Z\n/blob/example-account/example-container/example-blob.json\n\n\nhttps\n2019-02-02\nb\n\n\n\n\n\n
</AuthenticationErrorDetail>
</Error>
I don't really understand... I updated the C# code below to print out the string_to_sign with the \n characters, and it's exactly the same as the string_to_sign from the output above.
NOTE: The SAS token generated from Azure Storage that does work is an Account SAS, while the one I'm generating is a Service SAS. Could Service SAS be restricted in Azure Storage?
EDIT: I tried generating a SAS token directly from Azure Storage, and this did seem to work. It appears to be an account SAS, NOT the service SAS I'm trying to use below.
?sv=2019-12-12&ss=b&srt=o&sp=wac&se=2021-01-18T01:15:13Z&st=2021-01-17T17:15:13Z&spr=https&sig=<signature>
I'm looking to be able to send upload a file to Azure Storage using it's REST API. However, I'm having some trouble getting it to Authorize. I find the documentation a bit conflicting, in some places it says I can include a SAS token in the URI, in others it's in the Authorize header. For context, I'm trying to do it directly from APIM, so in the sample code below it's written with its limited API. This is just a general concept I'm using to generate the authorization string, but I keep getting a 403 when I use it (I'm not sure if I need to do something from the Azure Storage side).
/**
Based on https://learn.microsoft.com/en-us/rest/api/storageservices/create-service-sas
*/
using System;
using System.Collections.Generic;
namespace sas_token
{
class Program
{
static void Main(string[] args)
{
string key = args[0];
Console.WriteLine(generate_blob_sas_token(key));
}
public static string generate_blob_sas_token(string key)
{
const string canonicalizedResource = "canonicalizedResource";
// NOTE: this only works for Blob type files, Tables have a different
// structure
// NOTE: use a List instead of Dictionary since the order of keys in
// Dictionaries is undefined and the signature string requires a very
// specific order
List<KeyValuePair<string, string>> sas_token_properties = new List<KeyValuePair<string, string>>(){
// signedPermissions, select 1..* from [racwdxltmeop], MUST be in that order
new KeyValuePair<string, string>("sp", "cw"),
// signedStart time, date from when the token is valid
// NOTE: because of clock skew between services, even setting the time to
// now may not create an immediately usable token
new KeyValuePair<string, string>("st", DateTime.UtcNow.AddMinutes(-120).ToString("yyyy-MM-ddTHH:mm:ssZ")),
// signedExpiry time, date until the token is valid
new KeyValuePair<string, string>("se", DateTime.UtcNow.AddDays(1).ToString("yyyy-MM-ddTHH:mm:ssZ")),
// canonicalizedResource, must be prefixed with /blob in recent versions
// NOTE: this is NOT included as a query parameter, but is in the signature
// URL = https://myaccount.blob.core.windows.net/music/intro.mp3
// canonicalizedResource = "/blob/myaccount/music/intro.mp3"
new KeyValuePair<string, string>(canonicalizedResource, "/blob/example-account/example-container"),
// signedIdentifier, can be used to identify a Stored Access Policy
new KeyValuePair<string, string>("si", ""),
// signedIP, single or range of allowed IP addresses
new KeyValuePair<string, string>("sip", ""),
// signedProtocol
// [http, https]
new KeyValuePair<string, string>("spr", "https"),
// signedVersion, the version of SAS used (defines which keys are
// required/available)
new KeyValuePair<string, string>("sv", "2019-02-02"),
// signedResource, the type of resource the token is allowed to access
// [b = blob, d = directory, c = container, bv, bs]
new KeyValuePair<string, string>("sr", "b"),
// signedSnapshotTime
new KeyValuePair<string, string>("sst", ""),
// the following specify how the response should be formatted
// Cache-Control
new KeyValuePair<string, string>("rscc", ""),
// Content-Disposition
new KeyValuePair<string, string>("rscd", ""),
// Content-Encoding
new KeyValuePair<string, string>("rsce", ""),
// Content-Language
new KeyValuePair<string, string>("rscl", ""),
// Content-Type
new KeyValuePair<string, string>("rsct", "")
};
// the format is a very specific text string, where values are delimited by new
// lines, and the order of the properties in the string is important!
List<string> values = new List<string>();
foreach (KeyValuePair<string, string> entry in sas_token_properties)
{
values.Add(entry.Value);
}
string string_to_sign = string.Join("\n", new List<string>(values));
Console.WriteLine(string_to_sign.Replace("\n", "\\n"));
System.Security.Cryptography.HMACSHA256 hmac = new System.Security.Cryptography.HMACSHA256(System.Text.Encoding.UTF8.GetBytes(key));
var signature = System.Convert.ToBase64String(hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(string_to_sign)));
// create the query parameters of any set values + the signature
// NOTE: all properties that contribute to the signature must be added
// as query params EXCEPT canonicalizedResource
List<string> parameters = new List<string>();
foreach (KeyValuePair<string, string> entry in sas_token_properties)
{
if (!string.IsNullOrEmpty(entry.Value) && entry.Key != canonicalizedResource)
{
parameters.Add(entry.Key + "=" + System.Net.WebUtility.UrlEncode(entry.Value));
}
}
parameters.Add("sig=" + System.Net.WebUtility.UrlEncode(signature));
string sas_token_querystring = string.Join("&", parameters);
return sas_token_querystring;
}
}
}
I use the output in the following (simplified) APIM policy (I set "sas_token" variable to the output of the function to test the process):
<set-variable name="x-request-body" value="#(context.Request.Body.As<string>())" />
<send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
<set-url>#("https://example-account.blob.core.windows.net/example-container/test.json")</set-url>
<set-method>PUT</set-method>
<set-header name="x-ms-date" exists-action="override">
<value>#(DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ssZ"))</value>
</set-header>
<set-header name="x-ms-version" exists-action="override">
<value>2019-02-02</value>
</set-header>
<set-header name="x-ms-blob-type" exists-action="override">
<value>BlockBlob</value>
</set-header>
<set-header name="Authorization" exists-action="override">
<value>#("SharedAccessSignature " + (string)context.Variables["sas_token"])</value>
</set-header>
<set-body>#((string)context.Variables["x-request-body"])</set-body>
</send-request>
For completeness, here's the result from APIM when I trace a test request using {"hello": "then"}:
{
"message": "Request is being forwarded to the backend service. Timeout set to 20 seconds",
"request": {
"method": "PUT",
"url": "https://example-account.blob.core.windows.net/example-container/test.json",
"headers": [
{
"name": "Host",
"value": "example-account.blob.core.windows.net"
},
{
"name": "Content-Length",
"value": 17
},
{
"name": "x-ms-date",
"value": "2021-01-17T16:53:28Z"
},
{
"name": "x-ms-version",
"value": "2019-02-02"
},
{
"name": "x-ms-blob-type",
"value": "BlockBlob"
},
{
"name": "Authorization",
"value": "SharedAccessSignature sp=cw&st=2021-01-17T13%3A42%3A02Z&se=2021-01-18T15%3A42%3A02Z&spr=https&sv=2019-02-02&sr=b&sig=<signature>"
},
{
"name": "X-Forwarded-For",
"value": "205.193.94.40"
}
]
}
}
send-request (92.315 ms)
{
"response": {
"status": {
"code": 403,
"reason": "Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature."
},
"headers": [
{
"name": "x-ms-request-id",
"value": "185d86f5-601e-0038-5cf1-ec3542000000"
},
{
"name": "Content-Length",
"value": "321"
},
{
"name": "Content-Type",
"value": "application/xml"
},
{
"name": "Date",
"value": "Sun, 17 Jan 2021 16:53:28 GMT"
},
{
"name": "Server",
"value": "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0"
}
]
}
}
Also, still newish to C#, so if something can be done better please let me know.
Azure Storage supports below authorizing method:
But SAS token can not be the Authorization header of REST API.
https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-requests-to-azure-storage
I encapsulated several authentication methods:
using Azure.Storage;
using Azure.Storage.Sas;
using Microsoft.Azure.Services.AppAuthentication;
using System;
using System.IO;
using System.Net;
using System.Security.Cryptography;
using System.Text;
namespace ConsoleApp31
{
class Program
{
static void Main(string[] args)
{
string storageKey = "xxxxxx";
string storageAccount = "yourstorageaccountname";
string containerName = "test";
string blobName = "test.txt";
string mimeType = "text/plain";
string test = "This is a test of bowman.";
byte[] byteArray = Encoding.UTF8.GetBytes(test);
MemoryStream stream = new MemoryStream(byteArray);
UseRestApiToUpload(storageKey,storageAccount,containerName,blobName,stream,mimeType);
Console.WriteLine("*******");
Console.ReadLine();
}
//Upload blob with REST API
static void UseRestApiToUpload(string storageKey, string storageAccount, string containerName, string blobName, Stream stream, string mimeType)
{
string method = "PUT";
long contentlength = stream.Length;
string requestUri = $"https://{storageAccount}.blob.core.windows.net/{containerName}/{blobName}";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(requestUri);
string utcnow = DateTime.UtcNow.ToString("R");
var memoryStream = new MemoryStream();
stream.CopyTo(memoryStream);
var content = memoryStream.ToArray();
request.Method = method;
request.Headers.Add("Content-Type", mimeType);
request.Headers.Add("x-ms-version", "2019-12-12");
request.Headers.Add("x-ms-date", utcnow);
request.Headers.Add("x-ms-blob-type", "BlockBlob");
request.Headers.Add("Content-Length", contentlength.ToString());
//Use SharedKey to authorize.
request.Headers.Add("Authorization", AuthorizationHeaderWithSharedKey(method, utcnow, request, storageAccount, storageKey, containerName, blobName));
//Can not use SAS token in REST API header to authorize.
//Use Bearer token to authorize.
//request.Headers.Add("Authorization",AuthorizationHeaderWithAzureActiveDirectory());
using (Stream requestStream = request.GetRequestStream())
{
requestStream.Write(content, 0, (int)contentlength);
}
using (HttpWebResponse resp = (HttpWebResponse)request.GetResponse())
{
}
}
//Use shared key to authorize.
public static string AuthorizationHeaderWithSharedKey(string method, string now, HttpWebRequest request, string storageAccount, string storageKey, string containerName, string blobName)
{
string headerResource = $"x-ms-blob-type:BlockBlob\nx-ms-date:{now}\nx-ms-version:2019-12-12";
string urlResource = $"/{storageAccount}/{containerName}/{blobName}";
string stringToSign = $"{method}\n\n\n{request.ContentLength}\n\n{request.ContentType}\n\n\n\n\n\n\n{headerResource}\n{urlResource}";
HMACSHA256 hmac = new HMACSHA256(Convert.FromBase64String(storageKey));
string signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
String SharedKey = String.Format("{0} {1}:{2}", "SharedKey", storageAccount, signature);
return SharedKey;
}
//Use Shared access signature(SAS) to authorize.
public static string AuthorizationHeaderWithSharedAccessSignature(string storageAccount, string storageKey)
{
// Create a SAS token that's valid for one hour.
AccountSasBuilder sasBuilder = new AccountSasBuilder()
{
Services = AccountSasServices.Blobs | AccountSasServices.Files,
ResourceTypes = AccountSasResourceTypes.Service,
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1),
Protocol = SasProtocol.Https
};
sasBuilder.SetPermissions(AccountSasPermissions.Read |
AccountSasPermissions.Write);
// Use the key to get the SAS token.
StorageSharedKeyCredential key = new StorageSharedKeyCredential(storageAccount, storageKey);
string sasToken = sasBuilder.ToSasQueryParameters(key).ToString();
Console.WriteLine("SAS token for the storage account is: {0}", sasToken);
Console.WriteLine();
return sasToken;
}
//Use Azure Active Directory(Bearer token) to authorize.
public static string AuthorizationHeaderWithAzureActiveDirectory()
{
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
string bearertoken = azureServiceTokenProvider.GetAccessTokenAsync("https://storage.azure.com/").Result;
return "Bearer " + bearertoken;
}
}
}
Although the interaction between many software packages and azure is based on REST API, for operations like uploading blobs, I don't recommend you to use rest api to complete. Azure officially provides many packaged packages that you can use directly, such as:
https://learn.microsoft.com/en-us/dotnet/api/azure.storage.blobs?view=azure-dotnet
And example for .Net:
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-dotnet
In the above SDK, you can use sas token for authentication.
I don't think you can put a SAS token in an Authorization header. I can't find any relevant sample, so I used the
Using the Azure.Storage.Blob C# client library from NuGet to do this
var data = System.Text.Encoding.UTF8.GetBytes("Hello Azure Storage");
var keyCred = new StorageSharedKeyCredential(account, key);
var sasBuilder = new AccountSasBuilder()
{
Services = AccountSasServices.Blobs,
ResourceTypes = AccountSasResourceTypes.Object,
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1),
Protocol = SasProtocol.Https
};
sasBuilder.SetPermissions(AccountSasPermissions.All);
var sasToken = sasBuilder.ToSasQueryParameters(keyCred).ToString();
var blobClient = new BlobServiceClient(new Uri($"https://{account}.blob.core.windows.net/?{sasToken}"), null);
var containter = blobClient.GetBlobContainerClient("test");
containter.UploadBlob("test.txt", new MemoryStream(data));
Generates an HTTP request like this:
PUT https://xxxxxx.blob.core.windows.net/test/test.txt?sv=2020-04-08&ss=b&srt=o&spr=https&se=2021-01-17T18%3A13%3A55Z&sp=rwdxlacuptf&sig=RI9It3O6mcmw********S%2B1r91%2Bj5zGbk%3D HTTP/1.1
Host: xxxxxx.blob.core.windows.net
x-ms-blob-type: BlockBlob
x-ms-version: 2020-04-08
If-None-Match: *
x-ms-client-request-id: c6e93312-af95-4a04-a207-2e2062b1dd26
x-ms-return-client-request-id: true
User-Agent: azsdk-net-Storage.Blobs/12.8.0 (.NET Core 3.1.10; Microsoft Windows 10.0.19042)
Request-Id: |ffa2da23-45c79d128da40651.
Content-Length: 19
Hello Azure Storage
Then using the SAS token directly with WebClient,
var wc = new WebClient();
wc.Headers.Add("x-ms-blob-type: BlockBlob");
wc.UploadData($"https://{account}.blob.core.windows.net/test/test2.txt?{sasToken}", "PUT", data);
works too, which should be the minimal request:
PUT https://xxxxx.blob.core.windows.net/test/test2.txt?sv=2020-04-08&ss=b&srt=o&spr=https&se=2021-01-17T18%3A50%3A01Z&sp=rwdxlacuptf&sig=Fj4QVfwIfjXP10G%xxxxxxxx%2FF%2FcjikizKggY%3D HTTP/1.1
Host: xxxx.blob.core.windows.net
x-ms-blob-type: BlockBlob
Connection: Keep-Alive
Content-Length: 19
Hello Azure Storage
Removing the x-ms-blob-type header fails with:
The remote server returned an error: (400) An HTTP header that's
mandatory for this request is not specified..
You are free to poke through the source code on GitHub for more details.
Thanks to David's help to confirm that it was my error, I was incorrectly converting the key to generate the HMAC. Below is the correct code, notice the Base64 decode, whereas originally I was just getting the byte array:
string string_to_sign = string.Join("\n", new List<string>(values));
Console.WriteLine(string_to_sign.Replace("\n", "\\n"));
System.Security.Cryptography.HMACSHA256 hmac = new System.Security.Cryptography.HMACSHA256(System.Convert.FromBase64String(key));
var signature = System.Convert.ToBase64String(hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(string_to_sign)));
And then I can use it like so in the APIM Policy:
<set-variable name="x-request-body" value="#(context.Request.Body.As<string>())" />
<send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
<set-url>#(string.Format("https://example-account.blob.core.windows.net/example-container/test.json?{0}", context.Variables["sas_token"]))</set-url>
<set-method>PUT</set-method>
<set-header name="x-ms-date" exists-action="override">
<value>#(DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ssZ"))</value>
</set-header>
<set-header name="x-ms-version" exists-action="override">
<value>2019-02-02</value>
</set-header>
<set-header name="x-ms-blob-type" exists-action="override">
<value>BlockBlob</value>
</set-header>
<set-body>#((string)context.Variables["x-request-body"])</set-body>
</send-request>
Related
I am new in C# jose jwt. I have been using JWE.Encrypt() method.
AnyJson anyJson = new AnyJson();
anyJson.page = 2;
anyJson.filters = new Filters();
anyJson.filters.startDate = DateTime.Now.Date;
anyJson.filters.endDate = DateTime.Now.Date;
string key = "bXF9p18KmVjgyzv3lP6otbne1W8PLo6gEE287SMyjeI=";
var payload = Newtonsoft.Json.JsonConvert.SerializeObject(anyJson);
string token = JWE.Encrypt(payload,
new[] { new JweRecipient(JweAlgorithm.A256KW, Convert.FromBase64String(key), null) },
JweEncryption.A256GCM);
and I am getting response in json like
{"ciphertext":"PwUATwt8xgGNSh7V2BjhOtlb0rC_GpFKyKWYdx2Fum6SpY6R9TWnH2BPPbK5qJ8_A0Q9MBkbjJkV4vi_CdKPXI1HXKiFmhxtX34pktiWuP-3ggXEMe1BZV--Lz40xRB9FyDgQ9S_SdDlgC6QMNVBQMCjtiKyhFSwIT5Qwb8AZGlew5cd7AVXhcpXAofMdF1ZV8t8JfpmqJe2ucZW06_aaFe9V3bNn9S5bv9b","protected":"eyJlbmMiOiJBMjU2R0NNIn0","iv":"8MD-0rHQDoIEmRXp","tag":"9DNgPKWMfA2jBBehA5IMxQ","header":{"alg":"A256KW"},"encrypted_key":"GXZKICb9L7EP91DQ2bJod3WNOaVjkSjzBcIsH6gk0vECpUwyTNasEw"}
but as per the doc given by client, we need to send this JWE token like
{ "request": {"Token": "eyJhbGciOiJBMjU2S1ciLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIn0.Hwv8rJUIcWzZgfAe1g8QaXrcczAx2-lvQX0gighE8OPg6L8-L9YyikY4Xx2oWUr2mbsHnS7nbT1dJ59Nz-CpdUk5JwC--Qml.e1rlkqkDbe3yRusnTiDzMw.ddSHOBVCIpU4-jSCqpGbtAsOuDBJnjnP4xFU97TeBOghlk3quvTd0lvkunDNvKOSqlw0zi2Gtz9Y4lZNPVEyYTkqGprjqMFGulcI_0gKzyu7CaFzJjWBicspIo81ljPdwkodNnfjwnuGjEIj5UUgJHcebEaFNDVqgU4Gtsvn9g7LOHVhmGXLOzlNcRbbgp.SQqu8k5C7QoYP0uXSV6H42zb3Ft9ehSfZGzPrUE6vVw"}}
which is looks like JSON. How can I send data like this?
Are you really sure you should sent a JWT token that you create your self?
typically a JSON token is issued by an authorization service. That both you and the receiver of the token trusts.
I am trying to update the recurrence frequency and interval of a Logic App using Azure Logic SDK and it is failing with this error message
Microsoft.Rest.Azure.CloudException: The request to patch workflow 'kk-test-logic-app' is not supported.
None of the fields inside the properties object can be patched.
Here is a code snippet showing what I am trying to do.
var workflow = await _client.Value.Workflows.GetAsync(resourceGroupName, workflowName);
dynamic workflowDefinition = workflow.Definition;
workflowDefinition.triggers[triggerName]["recurrence"] = JToken.FromObject(new { frequency = triggerFrequency, interval = triggerInterval });
await _client.Value.Workflows.UpdateAsync(resourceGroupName, workflowName, workflow);
where _client is Lazy<LogicManagementClient>.
Here is the definition of the trigger I am trying to update (got using Fiddler):
"triggers": {
"When_a_new_email_arrives": {
"recurrence": {
"frequency": "Hour",
"interval": 2
},
"splitOn": "#triggerBody()?.value",
"type": "ApiConnection",
"inputs": {
"host": {
"api": {
"runtimeUrl": "https://logic-apis-southindia.azure-apim.net/apim/office365"
},
"connection": {
"name": "#parameters('$connections')['office365']['connectionId']"
}
},
"method": "get",
"path": "/Mail/OnNewEmail",
"queries": {
"folderPath": "Inbox",
"importance": "Any"
}
}
}
}
Note that I am able to successfully retrieve the workflows, workflowRuns, workflowTriggers etc. Only the update operation is failing. Any ideas on how to update properties of workflows using the SDK?
UPDATE:
As pointed out by Amor-MSFT in the comments below, this is a defect and as a workaround, I am currently using CreateOrUpdateAsync instead of UpdateAsync. A new defect has been created in GitHub to get this to the attention of the SDK development team.
The trigger currently executes every 30s checking if a new mail was received from a certain email address and is working well as expected. I'm trying to change the recurrence frequency from 30s to 2hours using the code I provided.
I created a mail trigger and I can reproduce the issue if I use invoke UpdateAsync method. According to the source code of Azure Logic C# SDK, it send a PATCH request which is not supported according the response message. After changed the HTTP method to PUT, I can update the workflow. Here is the sample code which I used to send the PUT request.
string triggerName = "When_a_new_email_arrives";
string resourceGroupName = "my resourcegroup name";
string workflowName = "my-LogicApp";
string subscriptionID = "my-subscriptionID";
var workflow = await _client.Workflows.GetAsync(resourceGroupName, workflowName);
string url = string.Format("https://management.azure.com/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Logic/workflows/{2}?api-version=2016-06-01",
subscriptionID, resourceGroupName, workflowName);
HttpClient client = new HttpClient();
HttpRequestMessage message = new HttpRequestMessage(HttpMethod.Put, url);
message.Headers.Add("Authorization", "Bearer put your token here");
message.Headers.Add("Accept", "application/json");
message.Headers.Add("Expect", "100-continue");
dynamic workflowDefinition = workflow.Definition;
workflowDefinition.triggers[triggerName]["recurrence"] = JToken.FromObject(new { frequency = "Minute", interval = 20 });
string s = workflow.ToString();
string workflowString = JsonConvert.SerializeObject(workflow, _client.SerializationSettings);
message.Content = new StringContent(workflowString, Encoding.UTF8, "application/json");
await client.SendAsync(message);
I'm using the Azure Fluent Management API to automate our deployment process. Up until now, I've had minimal problems.
We have SSL certificates already uploaded into Azure and can manually bind them to a web site through the Azure portal. But I can't find a mechanism for doing this programmatically.
The closest I can find is below and in the documentation here.
webApp.Update()
.DefineSslBinding()
.ForHostname(domainName)
.WithPfxCertificateToUpload(pfxFile, password)
.WithSniBasedSsl()
.Attach();
However, this is obviously uploading a new certificate, not using an existing one.
There are two other options after the ForHostName() call:
WithExistingAppServiceCertificateOrder(certificateOrder)
and
WithNewStandardSslCertificateOrder(certificateOrderName)
But my understanding is that these are related to purchasing the certificates through Azure/Microsoft.
I also can't see anything in the REST API documentation.
So, how can I associate an existing certificate with a web app, in code?
Obviously this was not critical given I've only found an answer 9 months later.
Anyhow, the answer below is copied from the link provided.
await azure
.WebApps
.Inner
.CreateOrUpdateHostNameBindingWithHttpMessagesAsync(
resourceGroupName,
webAppName,
domain,
new HostNameBindingInner(
azureResourceType: AzureResourceType.Website,
hostNameType: HostNameType.Verified,
customHostNameDnsRecordType: CustomHostNameDnsRecordType.CName,
sslState: SslState.SniEnabled,
thumbprint: thumbprint));
As far as I know, the Azure Fluent Management API’s version is 1.0.0-beta50, so it maybe not contain the method add existing certificate to the host name.
I suggest you could use REST API to achieve it.
I suggest you could send request to below url.
Url: https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Web/sites/{snapshotName}?api-version={api-version}
Method: PUT
Parameter:
subscriptionId The identifier of your subscription where the snapshot is being created.
resourceGroup The name of the resource group that will contain the snapshot.
WebappName The name of the WebappName.
api-version The version of the API to use.
Request content:
{
"properties": {
"HostNameSslStates": [
{
"SslState": "the SSL state",
"ToUpdate": "True",
"Thumbprint": "The Thumbprint of the certificate, you could find it in the portal",
"Name": "yourwebsitename"
}
]
},
"kind": "app",
"location": "yourlocation",
"tags": {
"hidden-related:/subscriptions/{subscriptionId}/resourcegroups/{resourceGroup}/providers/Microsoft.Web/serverfarms/{yourserviceplan}": "empty"
}
}
More details, you could refer to below C# codes:
Json.txt:
{
"properties": {
"HostNameSslStates": [
{
"SslState": "1",
"ToUpdate": "True",
"Thumbprint": "BE58B05C5CADE03628D0D58B369D0DA6F535B0FA",
"Name": "test.azureclubs.com"
}
]
},
"kind": "app",
"location": "East Asia",
"tags": {
"hidden-related:/subscriptions/xxxxxxxxxxxxxxxx/resourcegroups/xxxxxxxxxxxxx/providers/Microsoft.Web/serverfarms/BrandoTestServicePlan": "empty"
}
}
Code:
string body = File.ReadAllText(#"D:\json.txt");
// Display the file contents to the console. Variable text is a string.
string tenantId = "xxxxxxxxxxxxxxxxxxxxxxxxx";
string clientId = "xxxxxxxxxxxxxxxxxxxxxxxxxxx";
string clientSecret = "xxxxxxxxxxxxxxxxxxxxxxxxx";
string subscriptionid = "xxxxxxxxxxxxxxxxxxxxxxxxxx";
string resourcegroup = "BrandoSecondTest";
string appname = "BrandoTestApp";
string version = "2015-08-01";
string authContextURL = "https://login.windows.net/" + tenantId;
var authenticationContext = new AuthenticationContext(authContextURL);
var credential = new ClientCredential(clientId, clientSecret);
var result = authenticationContext.AcquireTokenAsync(resource: "https://management.azure.com/", clientCredential: credential).Result;
if (result == null)
{
throw new InvalidOperationException("Failed to obtain the JWT token");
}
string token = result.AccessToken;
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(string.Format("https://management.azure.com/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Web/sites/{2}?api-version={3}", subscriptionid, resourcegroup, appname, version));
request.Method = "PUT";
request.Headers["Authorization"] = "Bearer " + token;
request.ContentType = "application/json";
try
{
using (var streamWriter = new StreamWriter(request.GetRequestStream()))
{
streamWriter.Write(body);
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
// Get the response
var httpResponse = (HttpWebResponse)request.GetResponse();
using (var streamReader = new StreamReader(httpResponse.GetResponseStream()))
{
Console.WriteLine(streamReader.ReadToEnd());
}
This solution works in 2021. You only need to know the thumbprint of your certificate and it should be in the same resource group as your web app.
var webApp = azure.WebApps
.GetById("webapp resource Id goes here")
.Update()
.DefineSslBinding()
.ForHostname("host name goes here")
.WithExistingCertificate("thumbprint goes here")
.WithSniBasedSsl()
.Attach()
.Apply();
I have an app(ios) that you can login with google and I ask the user to give permissions to access his youtube data,
func doOAuthGoogle(){
let oauthswift = OAuth2Swift(
consumerKey: GoogleYoutube["consumerKey"]!,
consumerSecret: GoogleYoutube["consumerSecret"]!,
authorizeUrl: "https://accounts.google.com/o/oauth2/auth",
accessTokenUrl: "https://accounts.google.com/o/oauth2/token",
responseType: "code"
)
oauthswift.authorizeWithCallbackURL( NSURL(string: "W2GCW24QXG.com.xxx.xxx:/oauth-swift")!, scope: "https://www.googleapis.com/auth/youtube", state: "", success: {
credential, response, parameters in
print("oauth_token:\(credential.oauth_token)")
let parameters = Dictionary<String, AnyObject>()
//TODO: send oauth to server
Alamofire.request(.GET, "http://xxx.azurewebsites.net:80/api/Login/Google/", parameters: ["access_token" : credential.oauth_token]).responseJSON { response in
print(response)
let resultDic : NSDictionary = (response.result.value as? NSDictionary)!
defaults.setObject(resultDic.valueForKey("userId"), forKey: "UserId")
let vc = self.storyboard?.instantiateViewControllerWithIdentifier("vcGroupsViewController") as? GroupsController
self.navigationController?.pushViewController(vc!, animated: true)
}
}, failure: {(error:NSError!) -> Void in
print("ERROR: \(error.localizedDescription)")
})
}
after that I get the credential.oauth_token and send it to the server that is .NET.
on the server I have the library
using Google.Apis.Services;
using Google.Apis.YouTube.v3;
and now I want to get the user music playlist but I cant find example code for that, like in facebook that have the facebookclient
var accessToken = access_token;
var client = new FacebookClient(accessToken);
// 1 : hit graph\me?fields=
dynamic me = client.Get("me", new { fields = new[] { "id", "name", "first_name", "last_name", "picture.type(large)", "email", "updated_time" } });
dynamic meMusic = client.Get("me/music");
OK, i found my answer to my own question,
send the access token to the server and then use web client to call the youtube data api v3 with the proper headers, the result will be youtube playlist ids , from there take watchHistory node and save it to local var, and use it in webclient2 to call the list items.
hope it will help others.
internal User SaveGoogleYoutubeLogin(string access_token)
{
var accessToken = access_token;
string watchHistoryList = "";
using (WebClient webclient = new WebClient())
{
webclient.Headers.Add(HttpRequestHeader.Authorization,"Bearer " + accessToken);
webclient.Headers.Add("X-JavaScript-User-Agent", "Google APIs Explorer");
var respone2 = webclient.DownloadString("https://www.googleapis.com/youtube/v3/channels?part=contentDetails&mine=true&key={your_api_key}");
Debug.Print(respone2);
JObject jResponse = JObject.Parse(respone2);
watchHistoryList = (string)jResponse["items"][0]["contentDetails"]["relatedPlaylists"]["watchHistory"].ToString();
}
using (WebClient webclient2 = new WebClient())
{
webclient2.Headers.Add(HttpRequestHeader.Authorization, "Bearer " + accessToken);
webclient2.Headers.Add("X-JavaScript-User-Agent", "Google APIs Explorer");
var respone2 = webclient2.DownloadString("https://www.googleapis.com/youtube/v3/playlistItems?part=snippet&playlistId="+ watchHistoryList + "&key={your_api_key}");
Debug.Print(respone2);
JObject jResponse = JObject.Parse(respone2);
foreach (var item in jResponse["items"])
{
Debug.Print(item.ToString());
}
}
I am new to DotNetOpenAuth and I can't find what value to use as the verifier in ProcessUserAuthorization.
What I want to achieve is to log in with my user credentials into an application (called UserVoice) that uses OAuth. Here's what my code looks like:
string requestToken;
var authorizeUri = consumer.RequestUserAuthorization(new Dictionary<string, string>(), null, out requestToken).AbsoluteUri;
var verifier = "???";
var accessToken = consumer.ProcessUserAuthorization(requestToken, verifier).AccessToken;
consumer.PrepareAuthorizedRequest(endpoint, accessToken, data).GetResponse();
I tried to use my username, my password, my consumer key, my consumer secret, but nothing seems to work. Does someone know which value I should use as the verifier?
Thanks
I finally found a way to log in to UserVoice with DotNetOpenAuth. I think UserVoice's implementation of OAuth wasn't standard, but I was able to do it during this:
var consumer = new DesktopConsumer(this.GetInitialServiceDescription(), this._manager)
string requestToken;
consumer.RequestUserAuthorization(null, null, out requestToken);
// get authentication token
var extraParameters = new Dictionary<string, string>
{
{ "email", this._email },
{ "password", this._password },
{ "request_token", requestToken },
};
consumer = new DesktopConsumer(this.GetSecondaryServiceDescription(), this._manager);
consumer.RequestUserAuthorization(extraParameters, null, out requestToken);
Where GetInitialServiceDescription returns the good request description, and GetSecondaryServiceDescription is a hacked version and returns the authorize endpoint in place of the request token endpoint. The "request_token" returned this way (which is not really a normal request_token from my understanding of OAuth) can then be used as an access token for PrepareAuthorizedRequest.
The verifier is the code that UserVoice would display onscreen after the user has said they want to authorize your app. The user must copy and paste this verifier code from the web site back into your application's GUI, so that it can then pass it into the ProcessUserAuthorization method.
This is only required in OAuth 1.0a (not 1.0), and is there to mitigate certain exploitable attacks that were discovered in 1.0. In your ServiceProviderDescription be sure you specify that the service is a 1.0a version (if in fact Uservoice supports that) so that DNOA will communicate to Uservoice that it should create a verifier code.
Incidentally, various tricks including scanning process titles or hosting the browser within your own app can eliminate the manual user copying the verify code step by having your app automatically copy it for him.
The verifier is also used when the Authorization is done via WebAPI and you do not have a redirect displayed in a browser. In this you just send your AuthentificationRequest via code and get the verifier as a json-string without any user interaction.
In this case the process (for OAuth 1.0) looks as follows:
public void AccessAPI ()
{
InMemoryOAuthTokenManager tokenManager = InMemoryOAuthTokenManager(YOUR_CLIENT_KEY, YOUR_CLIENT_SECRET);
var consumer = new DesktopConsumer(GetAuthServerDescription(), tokenManager);
// Get Request token
string requestToken;
var parameters = new Dictionary<string, string>();
parameters["email"] = "foo";
parameters["password"] = "bar";
Uri authorizationUrl = consumer.RequestUserAuthorization(null, parameters, out requestToken);
// Authorize and get a verifier (No OAuth Header necessary for the API I wanted to access)
var request = WebRequest.Create(authorizationUrl) as HttpWebRequest;
request.Method = "Get";
request.Accept = "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2";
var response = request.GetResponse() as HttpWebResponse;
string verifier = new StreamReader(response.GetResponseStream()).ReadToEnd().Split('=')[1]; //Irgendwie will Json nicht parsen
// Use verifier to get the final AccessToken
AuthorizedTokenResponse authorizationResponse = consumer.ProcessUserAuthorization(requestToken, verifier);
string accessToken = authorizationResponse.AccessToken;
// Access Ressources
HttpDeliveryMethods resourceHttpMethod = HttpDeliveryMethods.GetRequest | HttpDeliveryMethods.AuthorizationHeaderRequest;
var resourceEndpoint = new MessageReceivingEndpoint("https://api.discovergy.com/public/v1/meters", resourceHttpMethod);
using (IncomingWebResponse resourceResponse = consumer.PrepareAuthorizedRequestAndSend(resourceEndpoint, accessToken))
{
string result = resourceResponse.GetResponseReader().ReadToEnd();
dynamic content = JObject.Parse(result);
}
}
private ServiceProviderDescription GetAuthServerDescription()
{
var authServerDescription = new ServiceProviderDescription();
authServerDescription.RequestTokenEndpoint = new MessageReceivingEndpoint(YOUR_REQUEST_ENDPOINT, HttpDeliveryMethods.PostRequest | HttpDeliveryMethods.AuthorizationHeaderRequest);
authServerDescription.UserAuthorizationEndpoint = new MessageReceivingEndpoint(YOUR_AUTHORIZATION_ENDPOINT, HttpDeliveryMethods.GetRequest | HttpDeliveryMethods.AuthorizationHeaderRequest);
authServerDescription.AccessTokenEndpoint = new MessageReceivingEndpoint(YOUR_TOKEN_ENDPOINT, HttpDeliveryMethods.PostRequest | HttpDeliveryMethods.AuthorizationHeaderRequest);
authServerDescription.ProtocolVersion = ProtocolVersion.V10;
authServerDescription.TamperProtectionElements = new ITamperProtectionChannelBindingElement[] { new HmacSha1SigningBindingElement() };
return authServerDescription;
}