Hello @Benmehidi, Hamza (TI-CSTI) , I haven't heard from you. If you are still encountering the issue, would request you to send an email with subject line “Attn:Jaya” to AzCommunity[at]Microsoft[dot]com referencing this thread along with the subscription id, so that we could discuss offline or you could open a Support ticket with Microsoft.
Azure Function to download blobs with OAuth token
I have a huge set of PDFs that are stored on a blob container (let's call it demo_container) , within each pdf file there are links to other pdfs (links are redirecting to the blob also).
i'm looking for a way to make sure that links will work only if the user have the rights (configured through IAM) to access that blob ; the idea behind this is that even if somebody steal one pdf , he won't be able to open other ones.
this needs using OAuth in order to gets the token etc.. , ended up thinking that i need to create a function that would act as a redirector (typically , links in PDFs would call my API with the name of the desired file in the query) . First of all am i right so far ? or is there a way to do this in an easier way ?
In order to go as fast as possible (and since it shouldn't be something requiring too much programming) , i went with a powershell code , did the app registration of my app and gave it the access to the Storage_API (with user impersonation) and Graph_API just as stated in the MS docs.
when i call my API on my browser i get the MS authentication page and everything works fine , in my code i try to make sur that the token was passed correctly so i download a blob within the context of the function and check it size. Thing is , it should work only if i log with an account that have the right to connect to this blob (IAM is configured on the Sto account and the container) , but i don't know why the script works the same no matter who is authenticated.
My code to test :
using namespace System.Net
# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)
# Write to the Azure Functions log stream.
Write-Host "PowerShell HTTP trigger function processed a request."
# Interact with query parameters or the body of the request.
$name = $Request.Query.Name
$context = (Get-AzStorageAccount -name "xxxx" -ResourceGroupName "yyyy").context
$temp=Get-AzStorageBlobContent -Container "blob1" -Blob "sample.pdf" -Destination ".\" -context $context -force
$body="Size of the file is "+($temp.length)
# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
ContentType = 'text/html'
Body = $body
})
i'm very confused since this is quite weird that the function can access the blob (no SAS used anywhere in the function) with tokens from users that shouldn't be able to . all the help is welcome