Azure BLOB 存储 REST API - 使用 ADAL 访问令牌 returns 403 和 404 错误
Azure BLOB storage REST API - using ADAL access token returns 403 and 404 errors
我在 Azure Active Directory 中创建了应用程序注册并添加了 API 访问 Azure 存储的权限。
我还创建了一个用户和应用程序角色分配,如下所示:
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
我在 Azure 门户中为用户授予了 Storage Blob Data Contributor 角色。然后我从这个方法得到了一个访问令牌:
public void acquireToken(android.app.Activity activity,
String resource,
String clientId,
@Nullable String redirectUri,
@Nullable String loginHint,
@NonNull com.microsoft.aad.adal.AuthenticationCallback<com.microsoft.aad.adal.AuthenticationResult> callback)
clientId为有访问存储权限的应用。重定向 URI 是我在门户中为应用程序设置的 URI。我试过两个资源 ID。我将该令牌作为身份验证发送:Bearer header.
如果我传递给 acquireToken 的资源 ID 是 "https://<>.blob.core.windows.net/"
,则 returns 错误 "Audience validation failed. Audience did not match"
如果资源 ID 为“https://storage.azure.com/”,则 returns 错误 "The specified container does not exist"
。
我正在使用 Retrofit 执行 PUT 操作。
public static final String CONTENT_TYPE_TEXT_PLAIN_HEADER = "Content-Type: text/plain; charset=UTF-8";
public static final String X_MS_VERSION = "x-ms-version: 2017-11-09";
public static final String X_MS_DATE = "x-ms-date";
public static final String X_MS_BLOB_CONTENT = "x-ms-blob-content-disposition: attachment; filename=\"fname.ext\"";
public static final String X_MS_BLOB_TYPE = "x-ms-blob-type: BlockBlob";
public static final String X_MS_META_M1 = "x-ms-meta-m1: v1";
public static final String X_MS_META_M2 = "x-ms-meta-m2: v2";
@Headers({CONTENT_TYPE_TEXT_PLAIN_HEADER,
X_MS_VERSION,
X_MS_BLOB_CONTENT,
X_MS_BLOB_TYPE,
X_MS_META_M1, X_MS_META_M2})
@PUT("/blob1")
Call<Void> putBlob(@Header(AUTHORIZATION) String bearerToken,
@Header(X_MS_DATE) String date,
@Body String putBody);
It returns the error "Audience validation failed. Audience did not match" if the resource ID I pass to acquireToken is https://<>.blob.core.windows.net/
从 https://<>.blob.core.windows.net/
中删除尾部斜杠,它现在应该与 Azure AD 对观众的期望相匹配。
从https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app#azure-storage-resource-id-
Azure Storage resource ID
An Azure AD resource ID indicates the audience for which a token that is issued can be used to provide access to an Azure resource. In the case of Azure Storage, the resource ID may be specific to a single storage account, or it may apply to any storage account. The following table describes the values that you can provide for the resource ID:
https://<account>.blob.core.windows.net
我在 Azure Active Directory 中创建了应用程序注册并添加了 API 访问 Azure 存储的权限。
我还创建了一个用户和应用程序角色分配,如下所示:
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
我在 Azure 门户中为用户授予了 Storage Blob Data Contributor 角色。然后我从这个方法得到了一个访问令牌:
public void acquireToken(android.app.Activity activity,
String resource,
String clientId,
@Nullable String redirectUri,
@Nullable String loginHint,
@NonNull com.microsoft.aad.adal.AuthenticationCallback<com.microsoft.aad.adal.AuthenticationResult> callback)
clientId为有访问存储权限的应用。重定向 URI 是我在门户中为应用程序设置的 URI。我试过两个资源 ID。我将该令牌作为身份验证发送:Bearer header.
如果我传递给 acquireToken 的资源 ID 是 "https://<>.blob.core.windows.net/"
,则 returns 错误"Audience validation failed. Audience did not match"
如果资源 ID 为“https://storage.azure.com/”,则 returns 错误 "The specified container does not exist"
。
我正在使用 Retrofit 执行 PUT 操作。
public static final String CONTENT_TYPE_TEXT_PLAIN_HEADER = "Content-Type: text/plain; charset=UTF-8";
public static final String X_MS_VERSION = "x-ms-version: 2017-11-09";
public static final String X_MS_DATE = "x-ms-date";
public static final String X_MS_BLOB_CONTENT = "x-ms-blob-content-disposition: attachment; filename=\"fname.ext\"";
public static final String X_MS_BLOB_TYPE = "x-ms-blob-type: BlockBlob";
public static final String X_MS_META_M1 = "x-ms-meta-m1: v1";
public static final String X_MS_META_M2 = "x-ms-meta-m2: v2";
@Headers({CONTENT_TYPE_TEXT_PLAIN_HEADER,
X_MS_VERSION,
X_MS_BLOB_CONTENT,
X_MS_BLOB_TYPE,
X_MS_META_M1, X_MS_META_M2})
@PUT("/blob1")
Call<Void> putBlob(@Header(AUTHORIZATION) String bearerToken,
@Header(X_MS_DATE) String date,
@Body String putBody);
It returns the error "Audience validation failed. Audience did not match" if the resource ID I pass to acquireToken is
https://<>.blob.core.windows.net/
从 https://<>.blob.core.windows.net/
中删除尾部斜杠,它现在应该与 Azure AD 对观众的期望相匹配。
从https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app#azure-storage-resource-id-
Azure Storage resource ID
An Azure AD resource ID indicates the audience for which a token that is issued can be used to provide access to an Azure resource. In the case of Azure Storage, the resource ID may be specific to a single storage account, or it may apply to any storage account. The following table describes the values that you can provide for the resource ID:
https://<account>.blob.core.windows.net