Validating Azure B2C Token Object ID for API Access to Corresponding Azure Storage Container
Hi, currently I have an API that allows users to send requests to an external Azure Function with the role of "Storage Blob Contributor" to upload and download files to my Azure Storage account's containers. Each container corresponds with a customer (So user A would only have access to container A, and user B would only have access to container B), but multiple customers in the future could have access to the same container. Users sign into my API through a SPA that uses B2C. After they sign in, they send a request to the external Azure Function to either download or upload a file, and this request is sent to an external Azure Function that downloads/uploads the files to the storage container based on the request's parameters. The request to the Azure Function includes the B2C token containing the user's object ID, along with the name of the container the user is trying to access.
To not allow users to access containers they shouldn't have access to, I've created an list of verified user object ids combined with the containers they should have access to, in the format below:
const userToContainer =
[
'<user a object id>:<container a>',
'<user b object id>:<container b>'
];
The code then takes two values from the request:
- The user's OID from the B2C token
- Container name from the request
These two values are combined into a string in the same format as the list above, and then if they do match an entry then a flag is marked, allowing the request to continue as shown below:
const userRequest = `${objectId}:${containerName}`;
if (userToContainer[i] == userRequest) {
authorizedFlag = true;
}
}
I was wondering if this was a valid way to authenticate users for my API, and if there are any other ways I can authenticate the users.
The main things that I'm worried about are security and scalability.
- For security, without these lines of code users could send requests to any container, allowing different companies access to other companies files, so I was wondering if this would be enough to authenticate users accessing the API.
- For scalability, there will be about 100 users initially accessing the API, however over time there will be many more users, and keeping a long list of OIDs hard-coded into the Azure Function would be difficult to manage.
Thank you in advance and let me know if anything needs clarification! There are some parts of my API that I didn't mention to keep the question shorter, so let me know if I need to describe anything else.