Merge pull request #262527 from vicancy/patch-11

prmerger-automator[bot] · web-flow · commit 6fbf252af531 · 2024-01-05T12:02:41.000Z
Update signalr-concept-client-negotiation.md
diff --git a/articles/azure-signalr/signalr-concept-client-negotiation.md b/articles/azure-signalr/signalr-concept-client-negotiation.md
@@ -218,7 +218,11 @@ Then your clients can request the function endpoint `https://<Your Function App
 
 ### Self-exposing `/negotiate` endpoint
 
-You could also expose the negotiation endpoint in your own server and return the negotiation response by yourself if you are using other languages. Below is a pseudo code in JavaScript showing how to implement the negotiation endpoint for hub `chat`.
+You could also expose the negotiation endpoint in your own server and return the negotiation response by yourself if you are using other languages. 
+
+#### Using ConnectionString
+
+Below is a pseudo code in JavaScript showing how to implement the negotiation endpoint for hub `chat` and generate access token from Azure SignalR connection string.
 
 ```js
 import express from 'express';
@@ -242,6 +246,44 @@ let connection = new signalR.HubConnectionBuilder().withUrl('/chat').build();
 connection.start();
 ```
 
+#### Using Microsoft Entra ID
+Azure SignalR also provides REST API `POST /api/hubs/${hub}/:generateToken?api-version=2022-11-01&userId=${userId}&minutesToExpire=${minutesToExpire}` to generate the client access token for you when you are using Microsoft Entra ID.
+
+The steps are:
+1. Follow [Add role assignments](signalr-howto-authorize-application.md#add-role-assignments-in-the-azure-portal) to assign role `SignalR REST API Owner` or `SignalR Service Owner` to your identity so that your identity has the permission to invoke the REST API to generate the client access token.
+2. Use Azure Identity client library to fetch the Microsoft Entra ID token with scope `https://signalr.azure.com/.default`
+3. Use this token to visit the generate token REST API
+4. Return the client access token in the negotiation response.
+
+Below is a pseudo code in JavaScript showing how to implement the negotiation endpoint for hub `chat` and get access token using Microsoft Entra ID and REST API `/generateToken`.
+```js
+import express from "express";
+import axios from "axios";
+import { DefaultAzureCredential } from "@azure/identity";
+
+const endpoint = "https://<your-service>.service.signalr.net";
+const hub = "chat";
+const generateTokenUrl = `${endpoint}/api/hubs/${hub}/:generateToken?api-version=2022-11-01`;
+let app = express();
+app.get("/chat/negotiate", async (req, res) => {
+  // use DefaultAzureCredential to get the Entra ID token to call the Azure SignalR REST API
+  const credential = new DefaultAzureCredential();
+  const entraIdToken = await credential.getToken("https://signalr.azure.com/.default");
+  const token = (
+    await axios.post(generateTokenUrl, undefined, {
+      headers: {
+        "content-type": "application/json",
+        Authorization: `Bearer ${entraIdToken.token}`,
+      },
+    })
+  ).data.token;
+  let url = `${endpoint}/client/?hub=${hub}`;
+  res.json({ url: url, accessToken: token });
+});
+app.listen(8080, () => console.log("server started"));
+
+```
+
 ## Next steps
 
 To learn more about how to use default and serverless modes, see the following articles:
