Access Azure Blob storage of a user using oauth2 token obtained

问题

In Azure blob storage what I need is to get the access token when a user signs into his account, and by using this access token to perform list/upload/download the files in user blob storage.(Similar to what we can do in Dropbox/Google drive). Using the given request user authentication I am getting the code,

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=client_id&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fstorage.azure.com%2Fuser_impersonation&state=12345

And the code is used to get the token using the below request

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=client_id&scope=openid%20offline_access%20https%3A%2F%2Fstorage.azure.com%2Fuser_impersonation&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&grant_type=authorization_code&client_secret=client_secret

But when I call get request to list using https://account_name.blob.core.windows.net/container_name?restype=container&comp=list I am getting server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. How to access the files in the blob storage using the token obtained? Can we do this using python?

回答1:

If you want to access Azure blob storage with Azure AD, please refer to the following steps:

1. Register Azure AD application

2. Configure Azure APplication

   a. Configure permissions

3. Configure RABC role for the user

az role assignment create \
    --role "Storage Blob Data Contributor" \
    --assignee <email> \
    --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>

4. Get token a. get code

   https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize?
   client_id=<>
   &response_type=code
   &redirect_uri=http://localhost:3000/
   &response_mode=query
   &scope=https://storage.azure.com/user_impersonation
   &state=12345
   

   b. get token

   Post     https://login.microsoftonline.com/<>/oauth2/v2.0/token
   client_id=<>
   &scope=https://storage.azure.com/user_impersonation
   &code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
   &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
   &grant_type=authorization_code
   &client_secret=<>
   

5. Call Azure blob rest api

Get https://myaccount.blob.core.windows.net/mycontainer/myblob
Headers : 
            Authorization: Bearer <>
            x-ms-version: 2019-02-02

来源：https://stackoverflow.com/questions/59406391/access-azure-blob-storage-of-a-user-using-oauth2-token-obtained