The examples given in the python SDK to access a cosmosdb account only use the masterkey; is it possible access tables or SQL collections using from msrestazure.azure_active_directory import MSIAuthentication or something similar (which for example allows for MSI token auth into keyvault) for auth into cosmos?
(obviously python could manually implement REST API for token auth, just wondering if SDK support is there)
No, Azure Cosmos doesn't support AAD based auth yet, so none of the SDKs support this. A common pattern I've seen to avoid having it in a config file/env variable is to use Azure KeyVault to store the master key, then use MSI to access that key in-memory and pass it into the client constructor.
This is supported on Cosmos DB now. You can try it across all SDKs now, You can check the samples for different SDKS.
Azure Cosmos DB exposes a built-in role-based access control (RBAC) system
which lets you to Authenticate your data requests with an Azure Active Directory (Azure AD) identity.
Related
Firebase has announced a new optional upgrade called Firebase Authentication with Identity Platform, however, the new features already exist on the GCP Identity Platform.
As mentioned in the documentation here
Identity Platform serves as the backend for Firebase Authentication with Identity Platform and the features that are offered are identical.
I want to know:
What is the changes that occurred after the new upgrade has been released, and how can we benefit from it?
Should we now choose to work with only one of Firebase Authentication with Identity Platform and GCP Identity Platform?
What changes should be implemented if I want to migrate from GCP Identity Platform into Firebase Authentication with Identity Platform?
One of my favorite features that are implemented is that we are able to register blocking functions. If you read the docs, you'll all the benefits.
It's up to you to decide, but in my opinion, I would prefer to use the newest solution.
As far as I noticed, none.
Once you migrate, you'll see in the Firebase console in the Authentication section on the top of the page, the following text:
Authentication with Identity Platform
And to answer your question:
What is the difference between Identity Platform and Firebase Authentication with Identity Platform?
The real benefit is that you can use all the other Firebase products.
Edit:
Besides the blocking functions, there are other new features present, that weren't before:
Multi-factor authentication
Sign in with OIDC
Sign in with SAML
Multi-tenancy
IAP integration
In addition to #Alex's answer, upgrading to Identity Platform also let's use disable sign-ups and account deletion from the Firebase client SDK. It's useful when you want to restrict certain users to your application as you'll have to use the Admin SDK to create/delete users.
This along with blocking function and other features were part of Identity Platform already and you were able to upgrade your Firebase project before as well just like in the answer linked above. Firebase just made it easier for you to upgrade and use those features now directly from Firebase console.
Should we now choose to work with only one of Firebase Authentication with Identity Platform and GCP Identity Platform
If you plan to use only E-Mail Password authentication, Google Accounts and do not require blocking functions or so. You can keep using Firebase Authentication only as you won't be charged for it. However, if you upgrade to Identity Platform, you only have 3000 DAU for free.
I'm building a SPA web app (Next.js). My users are logging in via AAD B2C (by using NextAuth.js).
We have files stored in Azure Blob Storage which is created in the same tenant as the B2C. The users are added to different AAD Groups which have RBAC access to the Storage containers.
How do I create userDelegated SAS token for the logged in users to authorise them to read the files?
If userDelegated is no the way to go, how do I secure that only users with correct RBAC get read access to the files?
(Lets assume all the files are shown on the screen)
I've run around in circles in the MS documentations for days, and have been reading here on StackOverflow with no luck.
Accessing Key Vault & Storage is not supported with token obtained using B2C user flow or custom policy. You can request a token using same way that you used with standard Azure AD i.e. using login.microsoftonline.com for B2C tenant as well and access KV or Storage using that token.
There is an active feedback regarding this feature here that you can upvote: https://feedback.azure.com/d365community/idea/c6da0877-b625-ec11-b6e6-000d3a4f0789
Refer to similar issue discussed here with workarounds:
How to authorize Azure B2C user to read blob storage
https://learn.microsoft.com/en-us/answers/questions/31947/get-access-to-azure-blob-storage-and-key-vault-fro.html
Hope this helps. Please let me know if you need any further assistance. Thank you!
I have to build an API using Firebase, and need some help with design choices. I want to be able to sell the API to users, who can then use it to build/integrate their own applications. Users will have both read and write privileges.
General information:
I'm using Firestore db with email & password authentication.
Only specifically assigned users may use the API
Each user may only access specific documents concerning them.
I've noticed 3 different ways in which an API can be provided to a user of my Firestore db:
https triggered cloud functions (https://firebase.google.com/docs/functions/http-events)
Using the SDK (https://firebase.google.com/docs/firestore/client/libraries)
Using the REST API provided by Firbase (https://firebase.google.com/docs/firestore/use-rest-api)
API requirements:
Used only by users that I specifically grant access to (email & password login)
I want to limit these users to only a couple of read/write tasks that they're able to perform.
It needs to be safe.
My current approach is:
Use the 3rd option - the REST API provided by Firebase (thereby giving users the projectId and API key)
Add authorised users to the list of authorised accounts on Firbase, and limit access using custom claims and database rules.
My questions:
It seems that https functions (option 1) are normally used in API building. Are options 2 and 3 unsafe?
What are the normal use cases of the 3 options? When should each be used and when should each be avoided?
Are there any obvious flaws in my choice of option 3?
Any other useful information about making these design decisions will be much appreciated.
Thank you in advance
TL;DL: It depends on what you want to do with this API and how many and what type of devices/users will be calling it.
Before answering your questions I will list below the advantages of each approach:
Cloud Functions:
Cloud Function is a Functions as a Service Solution, so it's also a hosting service for your API, therefore you won't have to provision, manage, or upgrade servers and the API will automatically scale based on the load. Also this option takes into account the pros of SDKs and client libraries, since your code will have to use it to connect to Firestore anyway.
SDKs and client libraries:
This is the easiest and more optimized way to reach Firestore, however, environments where running a native library is not possible such as IOT devices will be left out of your solution, so consider this while implementing this option.
Cloud Firestore REST API:
Every device properly authorized to access Firestore will be able to do so.
NOTE: For both SDK and REST API you will need to consider hosting of your API, either on Cloud Functions, as mentioned, App Engine Standard, App Engine Flex or a Compute Engine Server Instance.
All that being said, it's up to you and your API's usage and requirements to say which option is best considering the points above.
As per security, I'd say that all option can be secure if firebase rules and firebase auth are set correctly.
I have setup a Web App on Azure in a resource group and it doesn't have any connection with Azure Active Directory.
I have added Azure Key Vault into the same resource group where the web app is placed. The thing is that I cannot find a way to use Azure Key Vault in my web app. All the documentations I have found, are explaining how to use it with the apps in the Active Directory.
Does Azure Key Vault work with seperate web apps? If so how can I use it in my app. I will be setting up Drupal and secure the keys with Azure Key Vault.
It would be great if someone could show me a path to take on.
Quoting the doc:
Applications that use a key vault must authenticate by using a token from Azure Active Directory. To do this, the owner of the application must first register the application in their Azure Active Directory.
Also, Key Vault is not supported today in the PHP SDK. See Keyvault support #898. You'll need to work with it by using REST API.
I would like to use the google cloud datastore from Android, so I would not have to set up cloud endpoints et al. Trying the snapshot 1.0.0 libs, the only way to add credentials seems to be via a file name to the private key file. That does not sound right for Android, is there some better way, ideally with an Android example?
You should be able to use the AccountManager for identity management and authentication storage, see https://code.google.com/p/google-api-java-client/wiki/Android.
You should be able to use the Oauth2 flow to get the appropriate credentials, and just pass that in to the DatastoreOptions.
Note that the Cloud Datastore API does not support fine grain ACLs, so the user will have to be an admin of your Project in order to access the API.