This is unfortunately a poor design for Azurite's OAuth functionality, since OAuth tokens are one of the only ways to generate user delegation keys via Azurite (required to test self signed SAS tokens). Since a production token is accepted as is, I MITM'd my own production token, and reduced it down to the following anonymous token that is accepted by Azurite using the Java SDK:
Header:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "foo",
"kid": "foo"
}
Payload:
{
"aud": "https://storage.azure.com",
"iss": "https://sts.windows.net/foo/",
"iat": 1734352522,
"nbf": 1734352522,
"exp": 2100000000,
"acr": "1",
"aio": "",
"altsecid": "1:live.com:foo",
"amr": [
"pwd"
],
"appid": "foo",
"appidacr": "0",
"email": "[email protected]",
"family_name": "foo",
"given_name": "foo",
"groups": [
"foo"
],
"idp": "live.com",
"idtyp": "user",
"ipaddr": "127.0.0.1",
"name": "foo",
"oid": "foo",
"puid": "",
"rh": "foo",
"scp": "user_impersonation",
"sub": "",
"tid": "foo",
"unique_name": "live.com#[email protected]",
"uti": "",
"ver": "1.0",
"xms_idrel": "16 5"
}
Signature:
invalid_signature
Stitch them all together as a standard JWT token, by encoding each part in base64:
<base64 version of header found above>.<base64 version of payload found above>.invalid_signature
I would paste the entire token, but that would probably flag my account somewhere somehow. If you're using the Java SDK, here's what I have:
val token = ""; // read the JWT token from somewhere;
val bsc = new BlobServiceClientBuilder();
...
bsc.credential(request -> Mono.just(new AccessToken(token, OffsetDateTime.MAX)));
...
PS: This is a replica of my comment here: https://github.com/Azure/Azurite/issues/537#issuecomment-2545729784
