Merge pull request #286516 from vicancy/patch-19

update the doc ito include a curl version

Author: ttorble

articles/azure-web-pubsub/howto-generate-client-access-url.md

@@ -40,9 +40,13 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
 
 2. Generate Client Access URL by calling `WebPubSubServiceClient.getClientAccessToken`:
 
-   - Generate MQTT client access token
+   - Generate client access token
 
      ```js
+     // for web pubsub native clients
+     let token = await serviceClient.getClientAccessToken();
+
+     // for mqtt clients
      let token = await serviceClient.getClientAccessToken({ clientProtocol: "mqtt" });
      ```
 
@@ -90,9 +94,13 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
 
 2. Generate Client Access URL by calling `WebPubSubServiceClient.GetClientAccessUri`:
 
-   - Generate MQTT client access token
+   - Generate client access token
 
      ```csharp
+     // for web pubsub native clients
+     var url = service.GetClientAccessUri();
+     
+     // for mqtt clients
      var url = service.GetClientAccessUri(clientProtocol: WebPubSubClientProtocol.Mqtt);
      ```
 
@@ -132,9 +140,13 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
 
 2. Generate Client Access URL by calling `WebPubSubServiceClient.get_client_access_token`:
 
-   - Generate MQTT client access token
+   - Generate client access token
 
      ```python
+     # for web pubsub native clients
+     token = service.get_client_access_token();
+     
+     # for mqtt clients
      token = service.get_client_access_token(client_protocol="MQTT")
      ```
 
@@ -174,7 +186,14 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
 
 2. Generate Client Access URL by calling `WebPubSubServiceClient.getClientAccessToken`:
 
-   - Generate MQTT client access token
+   - Generate client access token for Web PubSub native clients
+
+     ```java
+     GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
+     WebPubSubClientAccessToken token = service.getClientAccessToken(option);
+     ```
+
+   - Generate client access token for MQTT clients
 
      ```java
      GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
@@ -225,3 +244,71 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
 ---
 
 In real-world code, we usually have a server side to host the logic generating the Client Access URL. When a client request comes in, the server side can use the general authentication/authorization workflow to validate the client request. Only valid client requests can get the Client Access URL back.
+
+## Generate from REST API `:generateToken`
+You could also use Microsoft Entra ID and generate the token by invoking [Generate Client Token REST API](/rest/api/webpubsub/dataplane/web-pub-sub/generate-client-token).
+
+> [!NOTE]
+> Web PubSub does not recommend that you create Microsoft Entra ID tokens for Microsoft Entra ID service principals manually. This is because each Microsoft Entra ID token is short-lived, typically expiring within one hour. After this time, you must manually generate a replacement Microsoft Entra ID token. Instead, use [our SDKs](#generate-from-service-sdk) that automatically generate and replace expired Microsoft Entra ID tokens for you.
+
+1. Follow [Authorize from application ](./howto-authorize-from-application.md#add-a-client-secret) to enable Microsoft Entra ID and add a client secret.
+
+1. Gather the following information:
+   
+    | Value name | How to get the value |
+    | --- | --- |
+    | TenantId | TenantId is the value of **Directory (tenant) ID** on the **Overview** pane of the application you registered. |
+    | ClientId | ClientId is the value of **Application (client) ID** from the **Overview** pane of the application you registered. |
+    | ClientSecret | ClientSecret is the value of the client secret you just added in step #1 |
+   
+1. Get the Microsoft Entra ID token from Microsoft identity platform
+   
+    We use [CURL](https://curl.se/) tool to show how to invoke the REST APIs. The tool is bundled into Windows 10/11, and you could install the tool following [Install CURL](https://curl.se/download.html).
+
+    ```bash
+    # set neccessory values, replace the placeholders with your actual values
+    export TenantId=<your_tenant_id>
+    export ClientId=<your_client_id>
+    export ClientSecret=<your_client_secret>
+
+    curl -X POST "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    --data-urlencode "grant_type=client_credentials" \
+    --data-urlencode "client_id=$ClientId" \
+    --data-urlencode "client_secret=$ClientSecret" \
+    --data-urlencode "scope=https://webpubsub.azure.com/.default"
+
+    ```
+    The above curl command sends a POST request to Microsoft identity endpoint to get the [Microsoft Entra ID token](/entra/identity-platform/id-tokens) back.
+    In the response you see the Microsoft Entra ID token in `access_token` field. Copy and store it for later use.
+
+1. Use the Microsoft Entra ID token to invoke `:generateToken`
+
+    ```bash
+    # Replace the values in {} with your actual values.
+    export Hostname={your_service_hostname}
+    export Hub={your_hub}
+    export Microsoft_Entra_Token={Microsoft_entra_id_token_from_previous_step}
+    curl -X POST "https://$Hostname/api/hubs/$Hub/:generateToken?api-version=2024-01-01" \
+    -H "Authorization: Bearer $Microsoft_Entra_Token" \
+    -H "Content-Type: application/json"
+    ```
+
+    If you need to generate the token for MQTT clients, append the `clientType=mqtt` parameter to the URL:
+
+    ```bash
+    export Hostname={your_service_hostname}
+    export Hub={your_hub}
+    export Microsoft_Entra_Token={Microsoft_entra_id_token_from_previous_step}
+    curl -X POST "https://$Hostname/api/hubs/$Hub/:generateToken?api-version=2024-01-01&clientType=mqtt" \
+    -H "Authorization: Bearer $Microsoft_Entra_Token" \
+    -H "Content-Type: application/json"
+    ```
+
+    After running the `cURL` command, you should get a response like this:
+
+    ```json
+    {
+      "token": "ABCDEFG.ABC.ABC"
+    }
+    ```