0

In the reference architectures for IOT Hub\Central you can easily see how the SAS or X509 Cert is used for device authentication. As an example, look at this MXChip OTA Example. (my notes in pink)

Reference Article: Azure MXChip IoT DevKit Firmware OTA (Over-the-Air)

MXChip OTA Example

When we extend out to other Azure Services, can you leverage this authentication for other actions such as downloading files for OTA.

The only approach I can come up with is either:

a) have the download endpoint be secure through obscurity (not great).
b) introduce a shim service and implement an additional authentication layer there.

A seems bad. B seems like a waste. I feel like I'm missing and option C or lack the right info on the Azure-way for this one.

Thanks!

SatishBoddu
  • 752
  • 6
  • 13
Patrick
  • 2,044
  • 1
  • 25
  • 44
  • Are you looking for a device authentication to upload file to the Azure storage blob? If yes, configure your IoT Central App for device file upload and use the REST APIs for uploading process on the device side. – Roman Kiss Jan 20 '21 at 07:20
  • Hi Roman. No, file downloads for over-the-air update. Just as it is shown in the drawing. – Patrick Jan 20 '21 at 07:22
  • The underlaying IoT Hub generating a *sastoken* with *sp=rw*, so the device is authorized for uploading and downloading a requested blob. – Roman Kiss Jan 20 '21 at 07:36

2 Answers2

1

The following are steps for a device download file from the Azure Storage blob container using the IoT Central App:

  1. Configure your IoT Central App for Device file upload. enter image description here

  2. Upload to the configured storage blob container requested blob for its downloading by device (in my example: container=iotc, deviceId=device123, blobname=test.json)

  3. Generate a device connection string, hostname and sasToken for your IoT Central App, see more implementation details here.

  4. Based on the response from the step 3. use the REST POST request to the underlaying IoT Hub of your IoT Central App for a specific blob references, such as:

    {
   "correlationId":"****",
   "hostName":"****.blob.core.windows.net",
   "containerName":"iotc",
   "blobName":"device123/test.json",
   "sasToken":"?sv=2018-03-28&sr=b&sig=****&se=2021-01-20T10%3A26%3A59Z&sp=rw"
}

  5. Based on the response from the step 4., download the blob using the REST GET request, see the following example:

    https://****.blob.core.windows.net/iotc/device123/test.json?sv=2018-03-28&sr=b&sig=****&se=2021-01-20T10%3A26%3A59Z&sp=rw

  6. Notify underlaying IoT Hub of your IoT Central App that the device ended the download process, see the REST POST request. Note, that the correlationId you will received in the step 4.

Roman Kiss
  • 7,925
  • 1
  • 8
  • 21
  • Thanks Roman, its going to take me sometime to get back on this task but when I've tested it works, I'll come back and mark this as an answer. – Patrick Jan 20 '21 at 17:37
  • This does not work as you suggest. You can use `get_storage_info_for_blob(filename)` to establish a session to upload a file. You are returned the information to UPLOAD that _specific_ file into a GUID/filename location. You cannot use that to download other files, such as a common .bin file which you want many devices to access in an OTA process as I mention. I think you should consider removing you answer as it is incorrect. I do appreciate the attempt though. – Patrick Jan 21 '21 at 07:25
  • This answer shows how the iotc device can download a specific blob from the configured azure storage blob container. In the step 4. the post request requires to specify in its payload a blobname, such as a blob for downloading. Note, that the returned references are related only for that requested blobname, not for container. In other words, this download process must be repeated for each download file, that's only way built-in the azure iot hub and based on that, the above solution is working well. Note, that the device can known the blobname(s) for downloading based on the desired property. – Roman Kiss Jan 21 '21 at 08:00
0

With regard to my original question about using the authenticated device session to access other Azure services, both in general and specifically for the purpose of downloading files for OTA. This is not possible.

You either need to implement an additional authentication mechanism and your own service, use the service specific SDK in your application or for the case of Blob Storage with firmware updates, use a publicly available download point.

Note: The answer from Roman shows how to upload and access an uploaded file. It may help some who will end up here.

Patrick
  • 2,044
  • 1
  • 25
  • 44