Getting started with UWP
Build with Azure. Get free credit and 12 months of access to free products.
Start freeUsing resource tokens with Azure Cosmos DB
Description
You can authorize your applications to connect to Cosmos DB using master keys or resource tokens. Depending on the level of control that is needed, your application may need to use one or even both of these approaches.
In this episode, Chris Anderson (@crandycodes) comes on to show us how to request and make use of resource tokens in Cosmos DB. Along the way, he also shows us some other interesting features in Azure App Service such as EasyAuth and Run-From-Zip deployment.
- [01:23] - Cosmos DB Token provider code
- [04:20] - Future proofing with .NET Standard
- [06:50] - Exploring the token provider implementation
- [10:44] - Cosmos DB keys versus resource tokens
- [12:02] - Demo Acquiring token
- [14:53] - Deploying using run-from-zip
- [21:50] - Setting up EasyAuth
Take a look at the links below that point to code samples, documentation and the official announcements for the features:
- Token Provider sample on GitHub
- Securing access to Azure Cosmos DB data
- Run-From-Zip announcement on GitHub
- Authentication and authorization in Azure App Service
- Create a Free Account (Azure)
Share
Download
More episodes in this series
Azure Service Bus and the .NET Standard SDK
Related episodes
Debugging and Diagnostics of Durable Functions
Managing application permissions with PolicyServer
Jeremy Likness - CosmosDB and .NET Core
Chris Gillum - Serverless workflows with Durable Functions
2016-07-28 | Demystifying the Cloud: How the Hybrid Cloud Can Help Make Your Business More…
Microsoft Stands Firm on Security with Business PCs
Azure Data Lake - Security Essentials
Joël Hébert and Steve Syfuhs on Securing .NET Applications
Fabrikam Jets - Integrating Codename "Dallas" with AppFabric Access Control
Shawn Farkas: CLR 4 - Inside the new Managed Security Model
The Discussion
-
Thomas Levesque The JWT is never validated. Anyone can generate a dummy JWT, and it will be accepted and exchanged for a valid CosmosDB resource token.
-
crandycodes @Thomas Levesque: App Service's Authentication / Authorization (aka Easy Auth) feature does the Authentication/Verification of that JWT for us, so we don't need to manage the complexity of correctly verifying the JWT.
Easy Auth prevents spoofing of that header when it is turned on. If you don't turn it on, then yes you can spoof that JWT. Make sure you have Easy Auth turned on and you don't have to worry. You can add the verify logic for the JWT in there if you want to protect against Easy Auth being turned off accidentally, but it's not necessary otherwise. -
Niner810749 Wouldn't be easier and just as fast to just to create an Azure Functions Web Api, secured by EasyAuth (Azure AD B2C)? Then you could place this in front of each region you deploy the cosmos db? Do you have any demo's of this scenario?
-
Jefferson This approach is sufficient secure for Payment Gateway (Xamarin) app client?
-
crandycodes @Niner810749: You could certainly do that, and that's often the best approach. This model is valuable if you need to provide direct access to Cosmos DB, but need to lock down the permissions you grant.
The token provider sample listed in the description is the main sample we have. We don't currently have any other video content demoing it. -
crandycodes @Jefferson: I can't speak to the payments gateway part, but this is sufficient to grant controlled access to mobile users.