Configure authentication

Azure Remote Rendering uses the same authentication mechanism as Azure Spatial Anchors (ASA). Clients need to set one of the following to call the REST APIs successfully:

  • AccountKey: can be obtained in the "Keys" tab for the Remote Rendering account on the Azure portal. Account Keys are only recommend for development/prototyping. Account ID

  • AuthenticationToken: is an Azure AD token, which can be obtained by using the MSAL library. There are multiple different flows available to accept user credentials and use those credentials to obtain an access token.

  • MRAccessToken: is an MR token, which can be obtained from Azure Mixed Reality Security Token Service (STS). Retrieved from the https://sts.mixedreality.azure.com endpoint using a REST call similar to the below call:

    GET https://sts.mixedreality.azure.com/Accounts/35d830cb-f062-4062-9792-d6316039df56/token HTTP/1.1
    Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni<truncated>FL8Hq5aaOqZQnJr1koaQ
    Host: sts.mixedreality.azure.com
    Connection: Keep-Alive
    
    HTTP/1.1 200 OK
    Date: Tue, 24 Mar 2020 09:09:00 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 1153
    Accept: application/json
    MS-CV: 05JLqWeKFkWpbdY944yl7A.0
    {"AccessToken":"eyJhbGciOiJSUzI1<truncated>uLkO2FvA"}
    

    Where the Authorization header is formatted as follows: Bearer <Azure_AD_token> or Bearer <accoundId>:<accountKey>. The former is preferable for security. The token returned from this REST call is the MR access token.

Authentication for deployed applications

Account keys are recommended for quick prototyping, during development only. It's recommended not to ship your application to production using an embedded account key in it. The recommended approach is to use a user-based or service-based Azure AD authentication approach.

Azure AD authentication is described in the Azure AD user authentication section of the Azure Spatial Anchors (ASA) service.

For more information, see the Tutorial: Securing Azure Remote Rendering and model storage - Azure Active Directory authentication

Azure role-based access control

To help control the level of access granted your service, use the following roles when granting role-based access:

  • Remote Rendering Administrator: Provides user with conversion, manage session, rendering, and diagnostics capabilities for Azure Remote Rendering.
  • Remote Rendering Client: Provides user with manage session, rendering, and diagnostics capabilities for Azure Remote Rendering.

Next steps