Allow HTTP with OAuth

[jongio]

Right now in order to use the Azure SDKs with Azurite we have to enable OAuth and HTTPS. Setting up HTTPS locally is a pain. Especially when dealing with containers.

It would be great if we could allow HTTP with OAuth so that we can have a better local dev experience. We'll obviously need to make sure the security is tight and on box only.

Here's the related SDK issuue: azure/azure-sdk#2195

[XiaoningLiu]

Thanks Jon!

The initial thought is to add a parameter to by pass HTTP validation for OAuth requests. Like --bypassHttps. @blueww any other thoughts on this?

[blueww]

@jongio From Oauth protocol, it only support Https. I doubt should we support oauth+http, this might has potential security hole, and can give user wrong expectation for azure server.

We might should evaluate the detail pain of the setting up https locally, and see is there any way to reduce the pain without adding oauth + http support.

[jongio]

But with Azure SDK and Azurite we aren't doing a round trip, the Azure SDK has already acquired the token and has allowed it because it is Azurite only. Once the referenced issue above is implemented.

So, while OAuth doesn't allow it, in this case it might be okay.

[XiaoningLiu]

This change depends on Azure/azure-sdk#2195. Let's wait for SDK support.

[takekazuomi]

@XiaoningLiu

Thanks to the team for their great work.

It's been a while, so here's a little extra information: The following API documentation states that when used with the Local Storage service, "Get User Delegation Key" is accessed via HTTP.

https://learn.microsoft.com/en-us/rest/api/storageservices/get-user-delegation-key

This should be a REST API specification, not an SDK specification.

Or is this a documentation error?