Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Container Apps authentication supports a feature called token store. A token store is a repository of tokens that are associated with the users of your web apps and APIs. You enable a token store by configuring your container app with an Azure Blob Storage container.
Your application code sometimes needs to access data from these providers on the user's behalf, such as:
- Post to an authenticated user's Facebook timeline
- Read a user's corporate data using the Microsoft Graph API
You typically need to write code to collect, store, and refresh tokens in your application. With a token store, you can retrieve tokens when you need them, and tell Container Apps to refresh them as they become invalid.
When token store is enabled, the Container Apps authentication system caches ID tokens, access tokens, and refresh tokens the authenticated session, and they're accessible only by the associated user.
Note
The token store feature is in preview.
Generate a SAS URL
Before you can create a token store for your container app, you first need an Azure Storage account with a private blob container.
- Go to your storage account or create a new one in the Azure portal. 
- Select Containers and create a private blob container if necessary. 
- In the row for the storage container where you want to create the token store, select the three dots (•••) menu, and then select Generate SAS. 
- Enter the values appropriate for your needs in the Generate SAS window. - Make sure you include the read, write, and delete permissions in your definition. - Note - To ensure access to your container doesn't cease, make sure you keep track of your SAS expiration dates. 
- Select the Generate SAS token URL button to generate the SAS URL. 
- Copy the SAS URL and paste it into a text editor for use in a following step. 
Save SAS URL as secret
With SAS URL generated, you can save it in your container app as a secret. Make sure the permissions associated with your store include valid permissions to your blob storage container.
- Go to your container app in the Azure portal. 
- Select Secrets. 
- Select Add and enter the following values in the Add secret window. - Note - All the properties in the Add secret window are mandatory. 
| Property | Value | 
|---|---|
| Key | Enter a name for your SAS secret. | 
| Type | Select Container Apps secret. | 
| Value | Enter the SAS URL value you generated from your storage container. | 
Create a token store
Use the containerapp auth update command to associate your Azure Storage account to your container app and create the token store.
In this example, you put your values in place of the placeholder tokens surrounded by <> brackets.
az containerapp auth update \
  --resource-group <RESOURCE_GROUP_NAME> \
  --name <CONTAINER_APP_NAME> \
  --sas-url-secret-name <SAS_SECRET_NAME> \
  --token-store true
Additionally, you can create your token store with the sasUrlSettingName property using an ARM template.