A client, be it a browser 💻, a mobile app 📱, or an IoT device 💡, uses a Client Access URL to connect and authenticate with your resource. This URL follows a pattern of wss://<service_name>.webpubsub.azure.com/client/hubs/<hub_name>?access_token=<token>. This article shows you several ways to get the Client Access URL.
In the Keys tab in Azure portal, there's a Client URL Generator tool to quickly generate a Client Access URL for you, as shown in the following diagram. Values input here aren't stored.
Generate from service SDK
The same Client Access URL can be generated by using the Web PubSub server SDK.
Generate Client Access URL by calling WebPubSubServiceClient.getClientAccessToken:
Configure user ID
GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
option.setUserId(id);
WebPubSubClientAccessToken token = service.getClientAccessToken(option);
Configure the lifetime of the token
GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
option.setExpiresAfter(Duration.ofDays(1));
WebPubSubClientAccessToken token = service.getClientAccessToken(option);
Configure a role that can join group group1 directly when it connects using this Client Access URL
GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
option.addRole("webpubsub.joinLeaveGroup.group1");
WebPubSubClientAccessToken token = service.getClientAccessToken(option);
Configure a role that the client can send messages to group group1 directly when it connects using this Client Access URL
GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
option.addRole("webpubsub.sendToGroup.group1");
WebPubSubClientAccessToken token = service.getClientAccessToken(option);
Configure a group group1 that the client joins once it connects using this Client Access URL
GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
option.setGroups(Arrays.asList("group1")),
WebPubSubClientAccessToken token = service.getClientAccessToken(option);
In real-world code, we usually have a server side to host the logic generating the Client Access URL. When a client request comes in, the server side can use the general authentication/authorization workflow to validate the client request. Only valid client requests can get the Client Access URL back.
Invoke the Generate Client Token REST API
You can enable Microsoft Entra ID in your service and use the Microsoft Entra token to invoke Generate Client Token rest API to get the token for the client to use.