Azure Storage for app's file Upload/Download feature


  • I am trying to implement, file upload and download via my app. I am able to upload and download the files using SAS but these uses  time based token. I would like to have something like a one-time token based access. The app uses its own MS .NET Identity to authenticate the user and then uses different Azure account credentials for Azure access. Prevention against man-in-the-middle is important.

    I used this article


    vineri, 22 iunie 2018 23:03

Toate mesajele

  • you may refer this link, see if this helps for your scenario. In case doesn't help, please do provide more details about your requirement.

    Azure Storage samples using .NET.

    sâmbătă, 23 iunie 2018 06:37
  • Checking in to see if the above answer helped. 
    Let me know if there are still any additional issues I can help with.

    marți, 26 iunie 2018 04:48
  • Hi,

    Create the policy on your Blob container,folder or in file and set the expiration data which could be some long date and time and associate this policy to your blobs.

    marți, 26 iunie 2018 06:14
  • Thanks for your response. I don't think this resolves my issue. In my scenario, there are application users who are downloading files from Azure Storage Container via SAS token. They use the same Azure account with security policy on it which limits their access to one container and have only read privilege. The SAS URI uses a token which has start and end date for its expiration. In the Azure article it was stated that due to time zone differences, clock skew and other considerations it is recommended to have start date which is at least 15 minutes in past. This will result in SAS URI being valid for at least 15 minutes. The SAS URI is a https request in clear text. Anyone who has this URI will be able to access the resource in Azure container for at least 15 minutes. Using man in the middle attack this URI can be stolen and resource can be downloaded by an unauthorized party.

    But if a one-time token is used for accessing the resource on the Azure Container then even if the URI is stolen it does not matter as the URI will be invalid after one use. This is more secure solution and that is what I am trying to implement for file download from Azure Container.

    Let me know if you need more explanation.

    Sorry for responding so late.

    marți, 3 iulie 2018 20:38
  • Unfortunately, SAS tokens are the only way to grant access to a private container in Azure. If SAS tokens do not fit the needs of your application, you might need to put an additional layer between the customer & Azure Storage, or use a different storage hosting solution. 
    joi, 12 iulie 2018 18:57
  • Checking in to see if the above response helped to answer your query. Let us know if there are still any additional issues we can help with.

    sâmbătă, 14 iulie 2018 11:37
  • This does not answer my question and the issue is still unresolved. I dont think implementing additional layer will work as the once the url is stolen, attacker can bypass that layer and hit the resource in Azure Storage directly. Beside it adds more complexity to the architecture and will maintenance. It is disappointing that a simple file download feature does not have full protection against MITM attack. I will probably look into AWS S3 or save files in DB. We can close this issue with an understanding that currently there is no solution available in Azure.
    sâmbătă, 21 iulie 2018 02:09
  • Hi Mohid, apologies for not finding the answer you were looking for. You are right, you currently can't use a one time valid token to authenticate to Azure storage. I'd recommend leaving feedback in here:

    Possible workaround: 
    Based on the available parameters to account SAS and service SAS tokens, you could use the IP parameter to specify the IPs outside of Azure from which you could accept the requests. more info can be found here I hope this helps.

    luni, 23 iulie 2018 16:00