How to generate SAS token for secure connection to Azure IOT hub

1
votes

I need to programmatically generate the SAS token required for the connection to Azure IoT hub. For this I am following this page.

In the below C# code:

private static string createToken(string resourceUri, string keyName, string key)
{
    TimeSpan sinceEpoch = DateTime.UtcNow - new DateTime(1970, 1, 1);
    var week = 60 * 60 * 24 * 7;
    var expiry = Convert.ToString((int)sinceEpoch.TotalSeconds + week);
    string stringToSign = HttpUtility.UrlEncode(resourceUri) + "\n" + expiry;
    HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(key));
    var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
    var sasToken = String.Format(CultureInfo.InvariantCulture, "SharedAccessSignature sr={0}&sig={1}&se={2}&skn={3}", HttpUtility.UrlEncode(resourceUri), HttpUtility.UrlEncode(signature), expiry, keyName);
    return sasToken;
}

we need to input resourceUri which I believe is <somename>.azure-devices.net, keyname is the policyname and key can be used as primary or secondary key.

After using the above parameters and generating the SAS token, I am still facing authorization issue and my device is showing as disconnected in device explorer. Can anyone please tell me what I am using wrong here.

Thanks

2
c#azureazure-iot-hub
try to use the following string formatting: "SharedAccessSignature sr={0}&sig={1}&se={2}" for device-facing endpoint. - Roman Kiss
the key is the primary/secondary key of the specific device, so each device has own authentication sas token. - Roman Kiss
@RomanKiss Sorry I didnt get you. Can you answer it and explain a bit more. - S Andrew

2 Answers

0
votes

try the following changes:

    private static string createToken(string resourceUri, string key, string keyName = null)
    {
        TimeSpan sinceEpoch = DateTime.UtcNow - new DateTime(1970, 1, 1);
        var week = 60 * 60 * 24 * 7;
        var expiry = Convert.ToString((int)sinceEpoch.TotalSeconds + week);
        string stringToSign = HttpUtility.UrlEncode(resourceUri) + "\n" + expiry;
        HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(key));
        var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));

        var sasToken = keyName == null ?
            String.Format(CultureInfo.InvariantCulture, "SharedAccessSignature sr={0}&sig={1}&se={2}", HttpUtility.UrlEncode(resourceUri), HttpUtility.UrlEncode(signature), expiry) :
            String.Format(CultureInfo.InvariantCulture, "SharedAccessSignature sr={0}&sig={1}&se={2}&skn={3}", HttpUtility.UrlEncode(resourceUri), HttpUtility.UrlEncode(signature), expiry, keyName);

        return sasToken;

}

usage:

var deviceSasToken = MyHelper.createToken("{somename}.azure-devices.net/devices/myDeviceId", devicePrimaryKey);
0
votes

If the key you entered is your device's primary key, then in the code snippet above:

HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(key));

must be:

HMACSHA256 hmac = new HMACSHA256(Convert.FromBase64String(key));

Then it works for me.