Build with Azure. Get free credit and 12 months of access to free products.

Start free

Using resource tokens with Azure Cosmos DB

Sign in to queue

The Discussion

  • User profile image
    Thomas Levesque

    The JWT is never validated. Anyone can generate a dummy JWT, and it will be accepted and exchanged for a valid CosmosDB resource token.

  • User profile image

    @Thomas Levesque: App Service's Authentication / Authorization (aka Easy Auth) feature does the Authentication/Verification of that JWT for us, so we don't need to manage the complexity of correctly verifying the JWT.

    Easy Auth prevents spoofing of that header when it is turned on. If you don't turn it on, then yes you can spoof that JWT. Make sure you have Easy Auth turned on and you don't have to worry. You can add the verify logic for the JWT in there if you want to protect against Easy Auth being turned off accidentally, but it's not necessary otherwise.

  • User profile image

    Wouldn't be easier and just as fast to just to create an Azure Functions Web Api, secured by EasyAuth (Azure AD B2C)? Then you could place this in front of each region you deploy the cosmos db?  Do you have any demo's of this scenario?   


Add Your 2 Cents