Merge pull request #235182 from vicancy/patch-6

ttorble · web-flow · commit 128ba485a92a · 2023-04-24T10:29:13.000+01:00
Add doc for client access url
diff --git a/articles/azure-web-pubsub/howto-generate-client-access-url.md b/articles/azure-web-pubsub/howto-generate-client-access-url.md
@@ -0,0 +1,160 @@
+---
+title: How to generate client access URL for  Azure Web PubSub clients
+description: How to generate client access URL for Azure Web PubSub clients.
+author: vicancy
+ms.author: lianwei
+ms.date: 04/25/2023
+ms.service: azure-web-pubsub
+ms.topic: how-to
+---
+
+# How to generate client access URL for the clients
+
+A client, be it a browser 💻, a mobile app 📱, or an IoT device 💡, uses a **Client Access URL** to connect and authenticate with your resource. This URL follows a pattern of `wss://<service_name>.webpubsub.azure.com/client/hubs/<hub_name>?access_token=<token>`. This article shows you several ways to get the Client Access URL. 
+
+- For quick start, copy one from the Azure portal
+- For development, generate the value using [Web PubSub server SDK](./reference-server-sdk-js.md)
+- If you're using Azure AD, you can also invoke the [Generate Client Token REST API](/rest/api/webpubsub/dataplane/web-pub-sub/generate-client-token)
+
+## Copy from the Azure portal
+In the Keys tab in Azure portal, there's a Client URL Generator tool to quickly generate a Client Access URL for you, as shown in the following diagram. Values input here aren't stored.
+
+:::image type="content" source="./media/howto-websocket-connect/generate-client-url.png" alt-text="Screenshot of the Web PubSub Client URL Generator.":::
+
+## Generate from service SDK
+The same Client Access URL can be generated by using the Web PubSub server SDK.
+
+# [JavaScript](#tab/javascript)
+
+1. Follow [Getting started with server SDK](./reference-server-sdk-js.md#getting-started) to create a `WebPubSubServiceClient` object `service`
+
+2. Generate Client Access URL by calling `WebPubSubServiceClient.getClientAccessToken`:
+    * Configure user ID
+        ```js
+        let token = await serviceClient.getClientAccessToken({ userId: "user1" });
+        ```
+    * Configure the lifetime of the token
+        ```js
+        let token = await serviceClient.getClientAccessToken({ expirationTimeInMinutes: 5 });
+        ```
+    * Configure a role that can join group `group1` directly when it connects using this Client Access URL
+        ```js
+        let token = await serviceClient.getClientAccessToken({ roles: ["webpubsub.joinLeaveGroup.group1"] });
+        ```
+    * Configure a role that the client can send messages to group `group1` directly when it connects using this Client Access URL
+        ```js
+        let token = await serviceClient.getClientAccessToken({ roles: ["webpubsub.sendToGroup.group1"] });
+        ```
+    * Configure a group `group1` that the client joins once it connects using this Client Access URL
+        ```js
+        let token = await serviceClient.getClientAccessToken({ groups: ["group1"] });
+        ```
+
+# [C#](#tab/csharp)
+
+1. Follow [Getting started with server SDK](./reference-server-sdk-csharp.md#getting-started) to create a `WebPubSubServiceClient` object `service`
+
+2. Generate Client Access URL by calling `WebPubSubServiceClient.GetClientAccessUri`:
+    * Configure user ID
+        ```csharp
+        var url = service.GetClientAccessUri(userId: "user1");
+        ```
+    * Configure the lifetime of the token
+        ```csharp
+        var url = service.GetClientAccessUri(expiresAfter: TimeSpan.FromMinutes(5));
+        ```
+    * Configure a role that can join group `group1` directly when it connects using this Client Access URL
+        ```csharp
+        var url = service.GetClientAccessUri(roles: new string[] { "webpubsub.joinLeaveGroup.group1" });
+        ```
+    * Configure a role that the client can send messages to group `group1` directly when it connects using this Client Access URL
+        ```csharp
+        var url = service.GetClientAccessUri(roles: new string[] { "webpubsub.sendToGroup.group1" });
+        ```
+    * Configure a group `group1` that the client joins once it connects using this Client Access URL
+        ```csharp
+        var url = service.GetClientAccessUri(groups: new string[] { "group1" });
+        ```
+
+# [Python](#tab/python)
+
+1. Follow [Getting started with server SDK](./reference-server-sdk-python.md#install-the-package) to create a `WebPubSubServiceClient` object `service`
+
+2. Generate Client Access URL by calling `WebPubSubServiceClient.get_client_access_token`:
+    * Configure user ID
+        ```python
+        token = service.get_client_access_token(user_id="user1")
+        ```
+    * Configure the lifetime of the token
+        ```python
+        token = service.get_client_access_token(minutes_to_expire=5)
+        ```
+    * Configure a role that can join group `group1` directly when it connects using this Client Access URL
+        ```python
+        token = service.get_client_access_token(roles=["webpubsub.joinLeaveGroup.group1"])
+        ```
+    * Configure a role that the client can send messages to group `group1` directly when it connects using this Client Access URL
+        ```python
+        token = service.get_client_access_token(roles=["webpubsub.sendToGroup.group1"])
+        ```
+    * Configure a group `group1` that the client joins once it connects using this Client Access URL
+        ```python
+        token = service.get_client_access_token(groups=["group1"])
+        ```
+
+# [Java](#tab/java)
+
+1. Follow [Getting started with server SDK](./reference-server-sdk-java.md#getting-started) to create a `WebPubSubServiceClient` object `service`
+
+2. Generate Client Access URL by calling `WebPubSubServiceClient.getClientAccessToken`:
+    * Configure user ID
+        ```java
+        GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
+        option.setUserId(id);
+        WebPubSubClientAccessToken token = service.getClientAccessToken(option);
+        ```
+    * Configure the lifetime of the token
+        ```java
+        GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
+        option.setExpiresAfter(Duration.ofDays(1));
+        WebPubSubClientAccessToken token = service.getClientAccessToken(option);
+        ```
+    * Configure a role that can join group `group1` directly when it connects using this Client Access URL
+        ```java
+        GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
+        option.addRole("webpubsub.joinLeaveGroup.group1");
+        WebPubSubClientAccessToken token = service.getClientAccessToken(option);
+        ```
+    * Configure a role that the client can send messages to group `group1` directly when it connects using this Client Access URL
+        ```java
+        GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
+        option.addRole("webpubsub.sendToGroup.group1");
+        WebPubSubClientAccessToken token = service.getClientAccessToken(option);
+        ```
+    * Configure a group `group1` that the client joins once it connects using this Client Access URL
+        ```java
+        GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
+        option.setGroups(Arrays.asList("group1")),
+        WebPubSubClientAccessToken token = service.getClientAccessToken(option);
+        ```
+---
+
+In real-world code, we usually have a server side to host the logic generating the Client Access URL. When a client request comes in, the server side can use the general authentication/authorization workflow to validate the client request. Only valid client requests can get the Client Access URL back.
+
+## Invoke the Generate Client Token REST API
+
+You can enable Azure AD in your service and use the Azure AD token to invoke [Generate Client Token rest API](/rest/api/webpubsub/dataplane/web-pub-sub/generate-client-token) to get the token for the client to use.
+
+1. Follow [Authorize from application](./howto-authorize-from-application.md) to enable Azure AD.
+2. Follow [Get Azure AD token](./howto-authorize-from-application.md#use-postman-to-get-the-azure-ad-token) to get the Azure AD token with Postman.
+3. Use the Azure AD token to invoke `:generateToken` with Postman:
+    1. For the URI, enter `https://{Endpoint}/api/hubs/{hub}/:generateToken?api-version=2022-11-01`
+    2. On the **Auth** tab, select **Bearer Token** and paste the Azure AD token fetched in the previous step
+    3. Select **Send** and you see the Client Access Token in the response:
+        ```json
+        {
+            "token": "ABCDEFG.ABC.ABC"
+        }   
+        ```
+4. The Client Access URI is in the format of `wss://<endpoint>/client/hubs/<hub_name>?access_token=<token>`
+
diff --git a/articles/azure-web-pubsub/quickstart-use-client-sdk.md b/articles/azure-web-pubsub/quickstart-use-client-sdk.md
@@ -128,7 +128,7 @@ Note that the SDK is available as a [NuGet packet](https://www.nuget.org/package
 
 ### Create and connect to the Web PubSub service
 
-This code example creates a Web PubSub client that connects to the Web PubSub service instance.  A client uses a Client Access URL to connect and authenticate with the service. It's best practice to not hard code the Client Access URL in your code. In the production world, we usually set up an app server to return this URL on demand.  
+This code example creates a Web PubSub client that connects to the Web PubSub service instance.  A client uses a Client Access URL to connect and authenticate with the service. It's best practice to not hard code the Client Access URL in your code. In the production world, we usually set up an app server to return this URL on demand. [Generate Client Access URL](./howto-generate-client-access-url.md) describes the practice in detail.
 
 For this example, you can use the Client Access URL you generated in the portal.
 
diff --git a/articles/azure-web-pubsub/quickstarts-event-notifications-from-clients.md b/articles/azure-web-pubsub/quickstarts-event-notifications-from-clients.md
@@ -48,7 +48,7 @@ npm install @azure/web-pubsub-client
 #### 2. Connect to Web PubSub
 A client, be it a browser, a mobile app, or an IoT device, uses a **Client Access URL** to connect and authenticate with your resource. 
 This URL follows a pattern of `wss://<service_name>.webpubsub.azure.com/client/hubs/<hub_name>?access_token=<token>`. 
-A client can have a few ways to obtain the Client Access URL. For this quick start, you can copy and paste one from Azure portal shown in the following diagram.
+A client can have a few ways to obtain the Client Access URL. For this quick start, you can copy and paste one from Azure portal shown in the following diagram. It's best practice to not hard code the Client Access URL in your code. In the production world, we usually set up an app server to return this URL on demand. [Generate Client Access URL](./howto-generate-client-access-url.md) describes the practice in detail.
 
 ![The diagram shows how to get **Client Access Url**.](./media/quickstarts-event-notifications-from-clients/generate-client-url-no-group.png)
 
diff --git a/articles/azure-web-pubsub/quickstarts-pubsub-among-clients.md b/articles/azure-web-pubsub/quickstarts-pubsub-among-clients.md
@@ -55,7 +55,7 @@ dotnet add package Azure.Messaging.WebPubSub.Client --prerelease
 
 ## Connect to Web PubSub
 
-A client, be it a browser 💻, a mobile app 📱, or an IoT device 💡, uses a **Client Access URL** to connect and authenticate with your resource. This URL follows a pattern of `wss://<service_name>.webpubsub.azure.com/client/hubs/<hub_name>?access_token=<token>`. A client can have a few ways to obtain the Client Access URL. For this quick start, you can copy and paste one from Azure portal shown in the following diagram.
+A client, be it a browser 💻, a mobile app 📱, or an IoT device 💡, uses a **Client Access URL** to connect and authenticate with your resource. This URL follows a pattern of `wss://<service_name>.webpubsub.azure.com/client/hubs/<hub_name>?access_token=<token>`. A client can have a few ways to obtain the Client Access URL. For this quick start, you can copy and paste one from Azure portal shown in the following diagram. It's best practice to not hard code the Client Access URL in your code. In the production world, we usually set up an app server to return this URL on demand. [Generate Client Access URL](./howto-generate-client-access-url.md) describes the practice in detail.
 
 ![The diagram shows how to get client access url.](./media/howto-websocket-connect/generate-client-url.png)
 
diff --git a/articles/azure-web-pubsub/quickstarts-push-messages-from-server.md b/articles/azure-web-pubsub/quickstarts-push-messages-from-server.md
@@ -63,7 +63,7 @@ npm install @azure/web-pubsub-client
 
 #### Connect to your Web PubSub resource and register a listener for the `server-message` event 
 A client uses a ***Client Access URL*** to connect and authenticate with your resource. 
-This URL follows a pattern of `wss://<service_name>.webpubsub.azure.com/client/hubs/<hub_name>?access_token=<token>`. A client can have a few ways to obtain the Client Access URL. For this quick start, you can copy and paste one from Azure portal shown in the following diagram.
+This URL follows a pattern of `wss://<service_name>.webpubsub.azure.com/client/hubs/<hub_name>?access_token=<token>`. A client can have a few ways to obtain the Client Access URL. For this quick start, you can copy and paste one from Azure portal shown in the following diagram. It's best practice to not hard code the Client Access URL in your code. In the production world, we usually set up an app server to return this URL on demand. [Generate Client Access URL](./howto-generate-client-access-url.md) describes the practice in detail.
 
 ![The diagram shows how to get client access url.](./media/quickstarts-push-messages-from-server/push-messages-from-server.png)
 
diff --git a/articles/azure-web-pubsub/toc.yml b/articles/azure-web-pubsub/toc.yml
@@ -49,19 +49,21 @@
           href: howto-websocket-connect.md
         - name: Create reliable Websocket clients
           href: howto-develop-reliable-clients.md
+        - name: Generate client access URL
+          href: howto-generate-client-access-url.md
         - name: Configure event handler
           href: howto-develop-eventhandler.md
         - name: Send client events to Event Hubs
           href: howto-develop-event-listener.md
-        - name: Create `WebPubSubServiceClient` with Azure Identity
+        - name: Use server SDK with Azure Identity
           items:
-            - name: Create `WebPubSubServiceClient` with Azure Identity and .NET
+            - name: Use server SDK with Azure Identity and .NET
               href: howto-create-serviceclient-with-net-and-azure-identity.md
-            - name: Create `WebPubSubServiceClient` with Azure Identity and Java
+            - name: Use server SDK with Azure Identity and Java
               href: howto-create-serviceclient-with-java-and-azure-identity.md
-            - name: Create `WebPubSubServiceClient` with Azure Identity and JavaScript
+            - name: Use server SDK with Azure Identity and JavaScript
               href: howto-create-serviceclient-with-javascript-and-azure-identity.md
-            - name: Create `WebPubSubServiceClient` with Azure Identity and Python
+            - name: Use server SDK with Azure Identity and Python
               href: howto-create-serviceclient-with-python-and-azure-identity.md
     - name: Monitor
       items:
