I'm trying to achieve completely "serverless" status for my app with some simple CRUD operations, so my current approach is Blazor WASM on front-end and CosmosDB as records storage. I've configured AAD (Azure Active Directory) authentication in my Blazor App, and as for now, I'm wondering, if there is any way to to restrict CosmosDB client in Blazor to read only records which belongs to current user specifically (each record has UserId field)? So, the main thing that I want to know, if it is possible at all? Because I've found a plenty of different documentation, but because of lack of experience with Azure, I can't completely figure it out.

Thank you in advance!

P.S. The main solution I would like to approach - completely avoid any backend (API/servers/Azure Functions), because I really want to make it just Client App <-> CosmosDB, and AFAIK Firebase with JavaScript FrontEnd allows to do such a trick, but I'm interested in Azure-specific solution here

CodePudding user response：

I don't have a simple walkthrough for Blazor, but overall the process would be similar to this guidance:

1. On login, the Blazor WASM contacts Azure App Service to initiate an authentication flow.
2. Azure App Service performs an Open Auth flow with Azure AD. After the authentication flow completes, the Blazor WASM receives an access token.
3. The Blazor WASM uses the access token to request a resource token from the resource token broker.
4. The resource token broker uses the access token to request the user's identity from Azure AD. The user's identity is then used to request a resource token from Cosmos DB, which is used to grant read/write access to the authenticated user's partitioned collection.
5. The Blazor WASM uses the resource token to directly access Cosmos DB resources with the permissions defined by the resource token.