How to use Azure Cosmos DB REST (Data plane) API with AAD RBAC?

Question

How to use Azure Cosmos DB REST (Data plane) API with AAD RBAC?

I am attempting to make a REST request following these instructions which states "The Azure Cosmos DB RBAC is currently supported with the 2021-03-15 version of REST API." Yet when I make a request I get the response "Invalid API version. Ensure a valid x-ms-version header value is passed."

According to this the "latest version" is 2017-02-22 but there are a number of more recent versions, the most recent of which is 2018-12-31. If I switch to 2018-12-31 I get the error "Request blocked by Auth hts : Provided token does not have a valid signature. Please ensure that the AAD token is not being modified before use." I'm pretty sure the token is valid since I can decode it here.

Following is the relevant Dart code:

   Future<String> getCollections() async {  
       await waitForInitialization();  
       var url = 'https://$_account.documents.azure.com/dbs/$databaseName/colls/';  
       var uri = Uri.parse(url);  
       var headers = {  
         'Authorization': 'type=aad&ver=1.0&sig=$_token',  
         'Content-Type': 'application/json',  
         'x-ms-version': '2021-03-15',  
       };  
       var response;  
       try {  
         response = await http.get(uri, headers: headers);  
       } catch (e) {  
         throw StateError(e.toString());  
       }  
       if (response.statusCode != 200) {  
         throw StateError(response.body);  
       }  
       return response.body;  
     }

Saurabh Sharma 17,331 Reputation points Microsoft Employee

2021-06-30T23:36:21.197+00:00

Hi @James G Foster ,

Thanks for using Microsoft Q&A !!

I am looking into this and get back to you.

Thanks
Saurabh
Saurabh Sharma 17,331 Reputation points Microsoft Employee

2021-07-02T21:22:10.007+00:00

Hi @James G Foster ,

I have received the below information -

It looks like provided token does not have a valid signature. Being able to decode the token does not mean that the signature of the token in valid. Can you please ensure that the token has a valid signature.
Also, how are you generating the token ? what all scopes you are passing ?

Thanks
Saurabh
James G Foster 46 Reputation points

2021-07-02T21:38:20.783+00:00

Hi @Saurabh Sharma ,

How would I ensure that the token has a valid signature? I'm able to refresh the token with AAD; is that enough?

I'm generating the token by calling https://login.microsoftonline.com/$_tenantId/oauth2/v2.0/token with appropriate headers and body, including a scope of 'opened offline_access'.

What should I use for 'x-ms-version'? Should I use '2021-03-15'? Should I use '2018-12-31'? Or something else.

James
Saurabh Sharma 17,331 Reputation points Microsoft Employee

2021-07-02T22:46:58.997+00:00

Hi @amesgfoster-9024,
Please change the scope to 'Use https://{0}/.default for scope, where {0} is account endpoint.' e.g. https://<account-name>.documents.azure.com/.default and try checking with 2018-12-31 version.

Thanks
Saurabh

Saurabh Sharma 17,331 Reputation points Microsoft Employee

2021-06-30T23:36:21.197+00:00

Hi @James G Foster ,

Thanks for using Microsoft Q&A !!

I am looking into this and get back to you.

Thanks
Saurabh
Saurabh Sharma 17,331 Reputation points Microsoft Employee

2021-07-02T21:22:10.007+00:00

Hi @James G Foster ,

I have received the below information -

It looks like provided token does not have a valid signature. Being able to decode the token does not mean that the signature of the token in valid. Can you please ensure that the token has a valid signature.
Also, how are you generating the token ? what all scopes you are passing ?

Thanks
Saurabh
James G Foster 46 Reputation points

2021-07-02T21:38:20.783+00:00

Hi @Saurabh Sharma ,

How would I ensure that the token has a valid signature? I'm able to refresh the token with AAD; is that enough?

I'm generating the token by calling https://login.microsoftonline.com/$_tenantId/oauth2/v2.0/token with appropriate headers and body, including a scope of 'opened offline_access'.

What should I use for 'x-ms-version'? Should I use '2021-03-15'? Should I use '2018-12-31'? Or something else.

James
Saurabh Sharma 17,331 Reputation points Microsoft Employee

2021-07-02T22:46:58.997+00:00

Hi @amesgfoster-9024,
Please change the scope to 'Use https://{0}/.default for scope, where {0} is account endpoint.' e.g. https://<account-name>.documents.azure.com/.default and try checking with 2018-12-31 version.

Thanks
Saurabh

Answer 1

Saurabh Sharma 17,331 Microsoft Employee

Hi @James G Foster ,

I have checked the REST call with .NET code and it works fine with the above scope and with "x-ms-version" as "2018-12-31".

Also, please make sure that you are providing RBAC permissions as mentioned over here
I have assigned "Cosmos DB Built-in Data Contributor" role for my testing and it worked as expected.

Result-

Also, here is how my token payload looks like -

I having internal discussion with the products team as it looks like the version mentioned in the documentation is incorrect. Please let me know if you have any questions.

Thanks
Saurabh

James G Foster 46 Reputation points

2021-07-02T23:18:35.847+00:00

Thanks! My getCollections() method now works!
Saurabh Sharma 17,331 Reputation points Microsoft Employee

2021-07-02T23:19:20.657+00:00

@James G Foster Awesome. Great to hear that it started working.

How to use Azure Cosmos DB REST (Data plane) API with AAD RBAC?

0 additional answers

Activity