Reputation: 84650
How to get an Azure access token (for an application, not a user) without involving user authentication?
Here's the scenario:
- A game has its own login UI, which authenticates the player to the server using processes that have nothing whatsoever to do with Azure authentication. Actually using Azure authentication will not fly, as this requires sticking a browser into the game to redirect the user through a web authentication flow. This is not happening, because it breaks immersion and severely degrades the player's experience.
- The game client needs to download resources from Azure Blob Storage. These resources are protected by a token.
- The server should be able to create these tokens (for itself, not "on behalf of" any specific user) and send them to the game client, to users that are authenticated to its satisfaction (without Azure authentication for the user!)
I've spent an hour now, searching all throughout the rabbit hole that is Microsoft's documentation on the subject, and I can't for the life of me figure out how to get an access token without the process for authenticating the user forcibly poking its nose into the workflow.
Does anyone know what the proper workflow is for the server app to get a token on behalf of itself using its own client ID/client secret, without the identities of any users being involved anywhere in the process? I don't find it believable that such an important workflow wouldn't exist; I just can't figure out what it is or how to do it. Any help would be appreciated.
Upvotes: 1
Views: 715
Answers (1)
Reputation: 15754
According to my understanding, you want to download things form Azure blob storage with Azure AD auth and you do not want to process the Azure AD auth with users, If so, I suggest you use service principal to process Azure AD auth then download files from Azure blob with the token.
For example
- create a service principal and assign
Storage Blob Data Contributorfor the sp.
az login
az account set --subscription "<your subscription id>"
# it will assign Storage Blob Data Contributor to the sp at subscription level
az ad sp create-for-rbac -n "mysample" --role Storage Blob Data Contributor
- Get access token
POST https://login.microsoftonline.com/<your tannat id>/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=<your sp appId>
&client_secret=<you sp password>
&resource=https://storage.azure.com/
- Download file with the token
Get <you blob url>
x-ms-version: 2017-11-09
Authorization: Bearer <access_token>
Besides, as @Gaurav said, if you deploy your project on Azure VM, you can enable Managed Identity for Vm then use the identity to access Azure storage. For more details, please refer to the document
Upvotes: 2
Related Questions
- How to get access token without sign-up or sign-in to web app?
- Generate access token to authenticate Azure Active directory App
- azure ad how to authenticate using token passed from another application
- Get Access Token from Azure Active Directory using username and password
- C# Get Access Token for Azure AD Identity
- Get Azure AD Access Token from a .NET framework 2.0 ASP.NET app using WebClient or similar method
- How to get access token from Azure AD for TokenCredentials?
- Obtaining a token for a Web API using user credentials
- Getting access token in azure with azure account username and password
- Getting Access Token from Azure AD without user credentials