Authentication

Authentication to the PublicAPI is done via a method called Shared Access Signature (SAS). Developed by Microsoft this method enables you to grant clients access to resources in your storage account, without sharing your access keys. When you give a sender or client a SAS token, they don’t have the key directly, and they cannot reverse the hash to obtain it.

If you change the primary key in the policy, any Shared Access Signatures created from it is invalidated.

Example

POST https://<your-subdomain>.symmetry.net
Content-Type: application/json
Authorization: SharedAccessSignature sr=https%3A%2F%2F<your-subdomain>.symmetry.net&sig=<yoursignature from code above>&se=1438205742&skn=KeyName
ContentType: application/atom+xml;type=entry;charset=utf-8

1SharedAccessSignature sig=<signature-string>&se=<expiry>&skn=<keyName>&sr=<URL-encoded-resourceURI>
  • se - Token expiry instant. Integer reflecting seconds since the epoch 00:00:00 UTC on 1 January 1970 (UNIX epoch) when the token expires.
  • skn - Name of the authorization rule.
  • sr - URI of the resource being accessed.
  • sig - Signature.
  • cid - Client Id if subdomains are not being used
private string CreateSasToken(string topic, string keyName, string key, TimeSpan? ttl = null)
{
  if (!ttl.HasValue) ttl = TimeSpan.FromDays(500);
  var uri = GetUri(topic);
  //Set token lifetime to 8 hours
  var tokenExpirationTime = DateTimeOffset.Now.ToUnixTimeSeconds() + ttl.Value.TotalSeconds;

  string stringToSign = uri.UrlEncode() + "\n" + tokenExpirationTime;
  HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(key));

  string signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
  string token = String.Format(CultureInfo.InvariantCulture, "SharedAccessSignature sr={0}&sig={1}&se={2}&skn={3}",
      uri.UrlEncode(), signature.UrlEncode(), tokenExpirationTime, keyName);

  return token;
}