Why isn't my Azure SAS Token Signature matching?

0
votes

This is the error returned when I try to access a blob in storage:

Code: AuthenticationFailed Message: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. AuthenticationErrorDetail: Signature did not match. String to sign used was xxstorageaccount rwdlac b sco 2017-08-17T21:29:24Z 2017-08-17T21:34:24Z https 2017-04-17

Here's my code:

$storageAccount = config('azure.storage.account');

$start = new \DateTime();     
$end = (new \DateTime())->modify('+5 minutes');
$start = $start->format('Y-m-d\TH:i:s\Z');
$end = $end->format('Y-m-d\TH:i:s\Z');

$toSign = $storageAccount . "\n";
$toSign .= "rwdlac" . "\n";
$toSign .= "b" . "\n";
$toSign .= "sco" . "\n";
$toSign .= $start . "\n";
$toSign .= $end . "\n"; 
$toSign .= "\n";
$toSign .= "https" . "\n";
$toSign .= "2017-04-17" . "\n";

$signature = rawurlencode(base64_encode(hash_hmac('sha256', $toSign, $sasKeyValue, TRUE))); 
$token = "?sv=2017-04-17&ss=b&srt=sco&sp=rwdlac&se=" . $end . "&st=" . $start . "&spr=https&sig=" . $signature;

return $uri . $token;
1
phpazuretoken
What is the value for $sasKeyValue variable? Is it the account key?Gaurav Mantri

1 Answers

1
votes

You could do 2 things to avoid this error.

  1. Convert start and end time to GMT time via setTimezone() function or consider using the gmdate function instead.

  2. Decode base64 account key through base64_decode() function.

Please change your code like the following:

$storageAccount = config('azure.storage.account');

$start = (new \DateTime())->setTimezone(new DateTimeZone('GMT'));     
$end = (new \DateTime())->setTimezone(new DateTimeZone('GMT'))->modify('+5 minutes');
$start = $start->format('Y-m-d\TH:i:s\Z');
$end = $end->format('Y-m-d\TH:i:s\Z');

$toSign = $storageAccount . "\n";
$toSign .= "rwdlac" . "\n";
$toSign .= "b" . "\n";
$toSign .= "sco" . "\n";
$toSign .= $start . "\n";
$toSign .= $end . "\n"; 
$toSign .= "\n";
$toSign .= "https" . "\n";
$toSign .= "2017-04-17" . "\n";

$signature = rawurlencode(base64_encode(hash_hmac('sha256', $toSign, base64_decode($sasKeyValue), TRUE))); 
$token = "?sv=2017-04-17&ss=b&srt=sco&sp=rwdlac&se=" . $end . "&st=" . $start . "&spr=https&sig=" . $signature;

return $uri . $token;