Chilkat.AuthAzureSAS Class Overview
Chilkat.AuthAzureSAS creates Azure Shared Access Signature authentication tokens. It defines the Azure SAS string-to-sign, supplies the account access key used for signing, and identifies which parameters should be included in the generated SAS token query string.
What the Class Is Used For
Use Chilkat.AuthAzureSAS when an application needs to authenticate Azure Storage REST requests with a Shared Access Signature. The object is commonly used as a way to specify Azure SAS credentials for the Chilkat.Rest class. It prepares the SAS token that can be added to REST requests so Azure can verify the request permissions, resource, expiration, protocol, and other signed values.
Use with Chilkat.Rest
AuthAzureSAS is used to specify Azure SAS credentials for requests made with Chilkat.Rest. The AuthAzureSAS object is configured with the signing key, the string-to-sign format, and the required SAS parameters. The generated token is then used by REST requests that access Azure Storage resources.
| Responsibility | Handled By | Description |
|---|---|---|
| Build the SAS signing data | AuthAzureSAS | Defines the ordered fields used to create the Azure SAS string-to-sign. |
| Generate the SAS token | AuthAzureSAS | Uses the private access key and configured parameters to produce the SAS query token. |
| Send the Azure REST request | Chilkat.Rest | Uses the SAS credentials when making HTTP requests to Azure Storage. |
Typical Workflow
- Create an AuthAzureSAS object.
- Set AccessKey to the private Azure Storage account access key.
- Set StringToSign to the comma-separated list of fields required for the Azure SAS signature.
- Add SAS fields with SetTokenParam when the value must be included in the string-to-sign and also appear in the token query parameters.
- Add signing-only fields with SetNonTokenParam when the value must be included in the string-to-sign but not included in the token query parameters.
- Call GenerateToken to produce the SAS token.
- Use the token with Azure Storage REST requests, typically through Chilkat.Rest.
- If something fails or behaves unexpectedly, inspect LastErrorText.
Core Concepts
| Concept | Meaning | Important Members |
|---|---|---|
| Access Key | The private base64 signing key used to generate the SAS signature. | AccessKey |
| String-to-Sign Format | A comma-separated list of field names that defines the order of values to be signed. | StringToSign |
| Token Parameter | A value included in the string-to-sign and also emitted in the SAS query token. | SetTokenParam |
| Non-Token Parameter | A value included in the string-to-sign but not emitted in the SAS query token. | SetNonTokenParam |
| Generated SAS Token | The final query-string token generated from the configured signing fields and access key. | GenerateToken |
| Credential Reset | Clears previously configured token and non-token parameters. | Clear |
Properties
| Property | Purpose | Guidance |
|---|---|---|
| AccessKey | The private Azure access key used to sign the SAS token. | This is a base64 string and must be kept private. Do not log it, expose it in client-side code, or store it where unauthorized users can read it. |
| StringToSign | Defines the format and order of the values that are signed. | Set this to a comma-separated list of field names required by the Azure SAS token type being generated. |
| LastErrorText | Diagnostic information for the last method or property access. | Check after failures or unexpected behavior. Diagnostic information may be available regardless of success or failure. |
Understanding StringToSign
StringToSign is a comma-separated list of parameter names. Chilkat builds the actual string-to-sign by taking the value for each named parameter and joining those values with line-feed \n characters in the exact order specified.
| Example StringToSign |
|---|
| signedpermissions,signedstart,signedexpiry,canonicalizedresource,signedidentifier,signedIP,signedProtocol,signedversion,rscc,rscd,rsce,rscl,rsct |
| Resulting Value Order | Separator |
|---|---|
|
signedpermissions signedstart signedexpiry canonicalizedresource signedidentifier signedIP signedProtocol signedversion rscc rscd rsce rscl rsct |
Values are joined with LF line endings: \n |
Token vs Non-Token Parameters
| Method | Included in String-to-Sign? | Included in Token Query Params? | Use When |
|---|---|---|---|
| SetTokenParam | Yes | Yes | Use for SAS values that must both participate in the signature and be sent to Azure as query parameters. |
| SetNonTokenParam | Yes | No | Use for values needed only for signing, such as values that form part of the string-to-sign but should not be emitted in the generated token. |
Methods
| Method | Purpose | Important Details |
|---|---|---|
| SetTokenParam | Adds a parameter value that is included in the string-to-sign and also included in the generated token query parameters. | Takes a signing name, an auth/query parameter name, and a value. |
| SetNonTokenParam | Adds a parameter value that is included in the string-to-sign but not included in the generated token query parameters. | Use for signing-only values. |
| GenerateToken | Generates and returns the SAS token. | The token is based on AccessKey, StringToSign, and all configured token and non-token parameters. |
| Clear | Clears all parameters previously set by SetTokenParam and SetNonTokenParam. | Use before reusing the object for a different SAS token. |
Method Summary by Category
| Category | Members | Purpose |
|---|---|---|
| Signing configuration | AccessKey, StringToSign | Define the signing key and the ordered list of fields to sign. |
| Parameter setup | SetTokenParam, SetNonTokenParam | Add values used when building the string-to-sign and generated SAS token. |
| Token generation | GenerateToken | Produce the SAS token from the configured fields. |
| Reset | Clear | Remove all configured token and non-token parameters. |
| Diagnostics | LastErrorText | Read diagnostic information after failed or unexpected operations. |
Security Notes
| Item | Security Guidance |
|---|---|
| AccessKey | Treat the access key as a secret. It can be used to generate SAS tokens, so it should never be exposed to untrusted clients, logs, browser JavaScript, or public source control. |
| Generated SAS token | Treat generated SAS tokens as credentials. A token may grant access until it expires or is otherwise invalidated. |
| Permissions and expiry | Use the minimum permissions and shortest reasonable expiration for the task being performed. |
| Reuse | Call Clear before reusing the object for a different token to avoid accidentally carrying over old parameters. |
Diagnostics and Troubleshooting
| Problem Area | Member | What to Check |
|---|---|---|
| Generated token is rejected by Azure | StringToSign, SetTokenParam, SetNonTokenParam | Verify that the string-to-sign fields, order, values, and token parameter names match the SAS token type being generated. |
| Signature appears incorrect | AccessKey, StringToSign | Confirm the access key is the correct base64 signing key and that the string-to-sign contains exactly the expected values separated by LF characters. |
| Expected query parameter is missing | SetTokenParam | Use SetTokenParam for values that must appear in the generated SAS token query string. |
| Signing-only value appears in token | SetNonTokenParam | Use SetNonTokenParam for values that should be signed but not emitted as query parameters. |
| Old parameter values affect a new token | Clear | Clear the object before configuring it for a new SAS token. |
| Need operation details after failure | LastErrorText | Check diagnostic text after failed or unexpected token generation or parameter-setting behavior. |
Common Pitfalls
| Pitfall | Better Approach |
|---|---|
| Using the wrong field order in StringToSign. | Set StringToSign to the exact comma-separated order required for the Azure SAS token being generated. |
| Putting a signing-only value in the generated token. | Use SetNonTokenParam when the value should be included only in the string-to-sign. |
| Expecting SetNonTokenParam values to appear in the token. | Use SetTokenParam when the value must also be emitted as a query parameter. |
| Reusing the object without clearing old parameters. | Call Clear before configuring a different SAS token. |
| Logging or exposing AccessKey. | Treat the access key as a private secret. |
| Checking only client-side generation and ignoring the Azure request result. | After using the token with Chilkat.Rest, inspect the HTTP response from Azure to diagnose permission, expiry, resource, or signature errors. |
Best Practices
| Recommendation | Reason |
|---|---|
| Keep AccessKey private. | The access key can generate SAS tokens and should be protected as a secret. |
| Set StringToSign deliberately. | The signature depends on the exact order and values used in the string-to-sign. |
| Use SetTokenParam only for values that belong in the token query string. | This keeps the generated SAS token aligned with Azure's expected query parameters. |
| Use SetNonTokenParam for signing-only values. | Some values may be needed for signing but should not be included as token query parameters. |
| Call Clear before generating a different token. | It prevents old parameter values from affecting the next token. |
| Inspect LastErrorText after failures. | It provides diagnostic detail for failed parameter setup or token generation. |
| After using the token with Chilkat.Rest, inspect Azure's HTTP response. | Token generation may succeed even if Azure later rejects the request due to permissions, expiry, resource path, or signature mismatch. |
Summary
Chilkat.AuthAzureSAS is the Chilkat helper class for generating Azure Shared Access Signature tokens. It is commonly used with Chilkat.Rest as a way to specify Azure SAS credentials for REST requests. The class uses a private AccessKey, a configured StringToSign, and token or non-token parameters to generate the SAS token.
The most important practical guidance is to keep the access key private, define the exact string-to-sign field order, distinguish token parameters from signing-only parameters, call Clear before reusing the object for a different token, and inspect both LastErrorText and the Azure HTTP response when troubleshooting.