I have an ASP.NET Core app that is hosting videos and images as blobs in Azure. Right now I'm providing blob access to users by using SAS tokens with an expire time embedded in a link. The issue is that the link can be distributed to other users that should not have access to that blob until the SAS token time expires and the link is refreshed. I would like to somehow be able to check if the user that is accessing the link is logged in the application and then to check if it has access to that particular blob. Only if the user is logged and it has access to the blob, the blob should be delivered. My question is similar to this one: link. I have also read something about Azure ABAC but its seems that is a feature in preview and I don't know if it could help me.
According to microsoft docs
A request to Azure Storage can be authorized using either your Azure AD account or the storage account access key. but key advantage of using Azure Active Directory (Azure AD) with Azure Blob storage or Queue storage is that your credentials no longer need to be stored in your code.
Instead, you can request an OAuth 2.0 access token from the Microsoft identity platform. Azure AD authenticates the security principal (a user, group, or service principal) running the application. If authentication succeeds, Azure AD returns the access token to the application, and the application can then use the access token to authorize requests to Azure Blob storage or Queue storage.
STEPS :
user_impersonation
under delegated permissions.Next, grant admin consent for these permissions
Storage Blob Data Reader
or Storage Blob Data Contributor
Reader role
, at a minimum To learn how
to assign these roles to a user, please follow the instructions
provided in Assign Azure roles using the Azure portal.https://<account>.blob.core.windows.net
is the service endpoint for a given storage account. Use this value to acquire a token for authorizing requests to Azure blob Storage. Replace the value in brackets with the name of your storage account.This way access to azure blobs can be made secure by allowing access to only logged in users and who has a specific role to access.
You may also check this blog on how to Secure Azure Blob Storage with Azure API Management & Managed Identities | by Marcus Tee if needed.
References: