Fix identity based negotiation result for Socket.IO binding (Azure#46120)

zackliu · web-flow · commit c8ebad5166df · 2024-09-23T17:11:42.000+08:00
* Fix aud issue in aad

* Update token

* Trim some unless codes

* Update release history
diff --git a/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO/CHANGELOG.md b/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO/CHANGELOG.md
@@ -1,14 +1,10 @@
 # Release History
 
-## 1.0.0-beta.3 (Unreleased)
-
-### Features Added
-
-### Breaking Changes
+## 1.0.0-beta.3 (2024-09-24)
 
 ### Bugs Fixed
 
-### Other Changes
+- Fix the bug that identity based negotiation result is not correct
 
 ## 1.0.0-beta.2 (2024-09-02)
 
diff --git a/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO/src/Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO.csproj b/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO/src/Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO.csproj
@@ -26,6 +26,7 @@
 		<PackageReference Include="Microsoft.Azure.WebJobs" />
 		<PackageReference Include="Microsoft.IdentityModel.Tokens" />
 		<PackageReference Include="Microsoft.Extensions.Azure" />
+		<PackageReference Include="System.IdentityModel.Tokens.Jwt" />
 	</ItemGroup>
 
 	<ItemGroup>
diff --git a/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO/src/Services/WebPubSubForSocketIOService.cs b/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO/src/Services/WebPubSubForSocketIOService.cs
@@ -5,7 +5,10 @@
 using Azure.Core;
 using Azure.Messaging.WebPubSub;
 using System;
+using System.IdentityModel.Tokens.Jwt;
+using System.Linq;
 using System.Text;
+using System.Web;
 
 namespace Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO
 {
@@ -52,8 +55,12 @@ internal SocketIONegotiationResult GetNegotiationResult(string userId)
             else
             {
                 // For managed identity, the service can handle it.
-                var url = _client.GetClientAccessUri();
-                return new SocketIONegotiationResult(url);
+                // TODO: Currently, there's a bug in `GetClientAccessUri` and we need to get url by ourselves.
+                var url = _client.GetClientAccessUri(userId: userId);
+                var token = HttpUtility.ParseQueryString(url.Query)["access_token"];
+                // The `aud` in token is correct, we use it as the endpoint.
+                var endpoint = new JwtSecurityTokenHandler().ReadJwtToken(token).Claims.First(c => c.Type == "aud").Value.TrimEnd('/'); // Must have
+                return new SocketIONegotiationResult(new Uri($"{endpoint}?access_token={token}"));
             }
         }
 
diff --git a/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO/tests/SocketIOServiceTests.cs b/sdk/webpubsub/Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO/tests/SocketIOServiceTests.cs
@@ -2,9 +2,14 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using Azure.Identity;
+using Azure.Messaging.WebPubSub;
 using Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO.Config;
+using Moq;
 using NUnit.Framework;
+using System;
+using System.Collections.Generic;
 using System.IdentityModel.Tokens.Jwt;
+using System.Threading;
 
 namespace Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO.Tests
 {
@@ -74,5 +79,21 @@ public void TestValidAadSchema(string endpoint, string host)
             Assert.IsTrue(configs.TryGetKey(host, out var key));
             Assert.Null(key);
         }
+
+        [Test]
+        public void TestNegotiateResultForAad()
+        {
+            var token = "eyJhbGciOiJIUzI1NiIsImtpZCI6InMtZjZlMTVhZmItNjIxZS00OTc5LTgyZTgtN2FiMGQ4ZmIwMDM1IiwidHlwIjoiSldUIn0.eyJuYmYiOjE3MjcwNzAxODQsImV4cCI6MTcyNzA3MzcyNCwiaWF0IjoxNzI3MDcwMTg0LCJpc3MiOiJodHRwczovL3dlYnB1YnN1Yi5henVyZS5jb20iLCJhdWQiOiJodHRwczovL3Npby01a2tmY2dyMm9icXZtLndlYnB1YnN1Yi5henVyZS5jb20vY2xpZW50cy9zb2NrZXRpby9odWJzL2h1YiJ9.h3QkRTQ4";
+            var clientMoc = new Mock<WebPubSubServiceClient>();
+            clientMoc.Setup(c => c.GetClientAccessUri(It.IsAny<TimeSpan>(), It.IsAny<string>(), It.IsAny<IEnumerable<string>>(), It.IsAny<IEnumerable<string>>(), It.IsAny<WebPubSubClientProtocol>(), It.IsAny<CancellationToken>()))
+                .Returns(new Uri($"https://abc.com?access_token={token}"));
+
+            var service = new WebPubSubForSocketIOService(clientMoc.Object);
+            var result = service.GetNegotiationResult("user");
+
+            Assert.AreEqual("https://sio-5kkfcgr2obqvm.webpubsub.azure.com/", result.Endpoint.AbsoluteUri);
+            Assert.AreEqual("/clients/socketio/hubs/hub", result.Path);
+            Assert.AreEqual(token, result.Token);
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,10 @@`
`5`	`5`	`using Azure.Core;`
`6`	`6`	`using Azure.Messaging.WebPubSub;`
`7`	`7`	`using System;`
	`8`	`+using System.IdentityModel.Tokens.Jwt;`
	`9`	`+using System.Linq;`
`8`	`10`	`using System.Text;`
	`11`	`+using System.Web;`
`9`	`12`
`10`	`13`	`namespace Microsoft.Azure.WebJobs.Extensions.WebPubSubForSocketIO`
`11`	`14`	`{`
`@@ -52,8 +55,12 @@ internal SocketIONegotiationResult GetNegotiationResult(string userId)`
`52`	`55`	`else`
`53`	`56`	`{`
`54`	`57`	`// For managed identity, the service can handle it.`
`55`		`- var url = _client.GetClientAccessUri();`
`56`		`- return new SocketIONegotiationResult(url);`
	`58`	+ // TODO: Currently, there's a bug in `GetClientAccessUri` and we need to get url by ourselves.
	`59`	`+ var url = _client.GetClientAccessUri(userId: userId);`
	`60`	`+ var token = HttpUtility.ParseQueryString(url.Query)["access_token"];`
	`61`	+ // The `aud` in token is correct, we use it as the endpoint.
	`62`	`+ var endpoint = new JwtSecurityTokenHandler().ReadJwtToken(token).Claims.First(c => c.Type == "aud").Value.TrimEnd('/'); // Must have`
	`63`	`+ return new SocketIONegotiationResult(new Uri($"{endpoint}?access_token={token}"));`
`57`	`64`	`}`
`58`	`65`	`}`
`59`	`66`