我正在通过CloudStorageAccount生成SAS,如下所示:
var sharedAccessAccountPolicy = new SharedAccessAccountPolicy
{
Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Write,
Services = SharedAccessAccountServices.Blob,
ResourceTypes = SharedAccessAccountResourceTypes.Object,
SharedAccessExpiryTime = DateTime.UtcNow.AddYears(1),
Protocols = SharedAccessProtocol.HttpsOnly
};
return cloudStorageAccount.GetSharedAccessSignature(sharedAccessAccountPolicy);
问题是,当我将SAS附加到Blob URL并将结果字符串粘贴到浏览器中时,我得到的AuthenticationFailed (Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature)和Signature did not match详细信息。
如果我在Azure门户(或Azure存储资源管理器)上生成SAS,则SAS可在浏览器中工作。我注意到,SDK生成的SAS与门户生成的SAS之间存在差异。
?sv=2019-02-02,而SDK显示?sv=2018-03-28。有没有办法在SDK中手动配置它以匹配门户?:添加到SAS到期日期,而SDK将%3A添加。这有什么不同吗?这里是SDK的URL和SAS令牌:
https://myaccount.blob.core.windows.net/mycontainer/giphy.gif?sv=2018-03-28&sig=<sigValue>&spr=https&st=2020-02-22T18%3A02%3A12Z&se=2021-02-22T18%3A02%3A12Z&srt=o&ss=b&sp=rw
页面来源:
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:c662b297-e01e-0065-19ac-e9e3d0000000
Time:2020-02-22T18:17:24.7226395Z</Message><AuthenticationErrorDetail>Signature did not match. String to sign used was myaccount
rw
b
o
2020-02-22T18:02:12Z
2120-02-22T18:02:12Z
https
2018-03-28
</AuthenticationErrorDetail></Error>
这是由门户网站生成的:
?sv=2019-02-02&ss=b&srt=o&sp=rw&se=2021-02-23T02:18:59Z&st=2020-02-22T18:18:59Z&spr=https&sig=<sigValue>
在浪费大量时间试图找出根本原因后,我自己找到了答案。由于某些原因,必须将$spr=https子字符串添加到令牌的末尾。客户端SDK生成令牌时,此子字符串会从头开始出现,并导致身份验证问题。