Cosmosdb Resource Token Authorization Header using a REST call

1
votes

Cosmosdb has the concept of a permission for a user. That permission contains a token that can be used to access a specified partition for a limited time with limited access.

I've created a resource token broker, which creates the permission, retrieves the token and returns it to a client Xamarin Forms app. So far so good.

If I am using the DocumentClient from the .NET SDK, that token - unmodified - works great.

However, I'd like to avoid having a dependency on DocumentClient in my app and just instead make REST api calls directly to Cosmosdb.

If I put that token in the authorization header, I get format errors for that header. I can't find the source code to the SDK, and all the samples are built modifying a master token.

Can anyone explain/point/sample me on what I have to do to that resource token that I get from the permission to make it an acceptable header so I can just make a REST call?

TIA

2
azure-cosmosdb

2 Answers

1
votes

Based on your description, I think you already know how to get resource token. All your jobs are good except the resource token format. You need to urlencode your resource token then your code will be fine. I tested it successfully.

var databaseId = "db";
var collectionId = "coll";
var datetime = DateTime.UtcNow.ToString("R");
var version = "2017-02-22";
var resourceId = $"dbs/{databaseId}/colls/{collectionId}";
var auth = "type%3Dresource%26ver%3D1%26sig%3Dny%2BUlL6QIWR69OfiaSjTsw%3D%3D%3B%2Ba%2FwmK37zLn%2FoilfztnXpfyCN3n9tChunmpBdROF8BH4**********************oU0BJ4z8aDZT%2F%2FgTVJ0hgpXTK8UYMOrL5di3he9wbvQwFkFOdpXD7%2B%2Byhmb1uUOnq%2Fyp454O2fQKR8uA3KaiLCCjYZ6qr%2BQ%2BTV1Cu1u%2F6Yj34nc4UYtpRBX5K************qCGjhvpQ%3D%3D%3B";

var urlPath = $"https://***.documents.azure.com/dbs/db/colls/coll/docs/1";
Uri uri = new Uri(urlPath);
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, uri);
HttpClient client = new HttpClient();

client.DefaultRequestHeaders.Add("x-ms-date", datetime);
client.DefaultRequestHeaders.Add("x-ms-version", version);   
client.DefaultRequestHeaders.Add("Authorization", auth);
HttpResponseMessage response = client.SendAsync(request).Result;
var status = response.IsSuccessStatusCode;
var message = response.RequestMessage;
1
votes

Jay's solution was correct. I was missing a couple of parts. This entry is for any poor devil facing the same things.

  1. The token that actually comes back from Cosmosdb in the permission object is not encoded, as Jay pointed out. As of .Net Core 2.x you need to use WebUtility.UrlEncode(token) to get it in the right format. I spent an hour using HtmlEncode not UrlEncode. I'm an idiot.

{UPDATE: I'm even dumber than originally thought. You have to use HttpUtility.UrlEncode, not WebUtility.UrlEncode. This is because they encode differently. WebUtility ends up with stuff like %3D while HttpUtility encodes it %3d. That's not important except when it comes to auth tokens. When I ran Fiddler on a DocumentClient call I noticed the tokens contains lower cased encoding values.} So ignore #1 above and use HttpUtility instead.

  1. I mentioned that I was using partitions in the original question, but Jay's answer didn't cover that, so I was still failing. I was specifying a partition key, but it's not clear from the docs whether that's the partition key path or the partition key value. And that's not obvious if you believe that the permission token will contain a permission key value when it's created. No way to know what's going on under the covers. Trial and error. My personal fav.

  2. But the less than obvious kicker is the format of the partition key. If you are limiting the permission to a partition then you need to specify the partition in the header, like this:

    client.DefaultRequestHeaders.Add("x-ms-documentdb-partitionkey", partitions);

  3. And you need to format the partitions variable like this:

    string json = JsonConvert.SerializeObject(new[] { "b39bcd43-8d3d-*********-4e4492fa3e7d" });

And that's because Cosmodb is expecting an array of partition keys, even though it only accepts on partition key in the list (as I understand it anyway). If you don't want to use JsonConvert you can build it manually, using $"[\"{yourPartitionKey}\"]".

After all that it worked like a peach. Thanks, again, Jay!