Can't access azure storage blob via url even though authenticated

0
votes

I have a nodejs application using the express framework. The user must sign in via Oauth2 protocol against their MS Azure Active Directory credentials. This is done using the passport-azure-ad-oauth2 npm package

I have successfully got the application working so that I can upload files in blob form to an azure storage container. The container access level is set to private. I have assigned user roles for the container so that certain users within the AD have 'reader and data access'. So my understanding is that when these users are authenticated via Oauth2, they should be able to access the files when retrieving the file's URL. However, after authentication, I am not able to access the files. I get the following error.

ResourceNotFound The specified resource does not exist. RequestId:6341ef80-f01e-0011-6442-08f7c2000000 Time:2021-02-21T11:14:26.3475641Z

I have also followed the steps to grant the application permissions to azure storage here

What do I need to do so that authenticated users can go to the specific url for each blob and get access? Do I need to pass a token in the request? If so, how do you do this?

Any help would be much appreciated.

1
node.jsazureazure-active-directoryazure-storage-blobs

1 Answers

1
votes

The 404 error(The specified resource does not exist) is always related to your request URL, but not the access token.

For example to get blob, you need to use GET Method, and some of the Request Headers are required.

GET https://myaccount.blob.core.windows.net/mycontainer/myblob
headers:  
     Authorization: Bear <access-token>
     x-ms-version: 2020-04-08
     x-ms-date: Fri, 26 Jun 2015 23:39:12 GMT

Get access token by application permission without user:

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

client_id={client_id}
&client_secret={client_secret}
&scope=http://storage.azure.com/.default  // change to http://storage.azure.com/ for resource
&grant_type=client_credentials

Get access token by delegated permission with a signed-in user:

GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=token
&redirect_uri=https://localhost:44300/
&scope=https://storage.azure.com/user_impersonation
&response_mode=fragment
&state=12345
&nonce=678910

Note: Navigate to your storage account -> Access Control (IAM) -> Add role assignment -> select Storage Blob Data XXX role and your login account. I add Storage Blob Data Contributor in my side, it might take up to 5 minutes to propagate the RBAC rule.

enter image description here