Why the client does not have permission to join group in Azure Web PubSub?

Question

Dear AzureWebPubSub users, I was following this document to fetch the client access token for Azure WebPubSub and it returned me a JWT token and on decoding it was:-

{
  "alg": "HS256",
  "kid": "s-5acf1aac-944d-43a6-b107-dcb529eb11fb",
  "typ": "JWT"
}.{
  "sub": "5753",
  "nbf": 1707417893,
  "exp": 1707421493,
  "iat": 1707417893,
  "iss": "https://webpubsub.azure.com",
  "aud": "https://<my-pubsub-instance>.webpubsub.azure.com/client/hubs/<hub_name>"
}

I sent POST request, the URL was:-

https://<my-pubsub-instance>.webpubsub.azure.com/api/hubs/<hub_name>/:generateToken?userId=5753&roles=webpubsub.joinLeaveGroup&api-version=2021-10-01

But when my client connects with the Azure WebPubSub Service, the following are the messages/logs received on the live trace tool

• Request started.

• Connection started

• Received a message [260303712814104577] from client connection SCBwg74LmXFrl8tE-3xXqgmSET3gK02.

• Failed to send message [260303712814104577]: The client does not have permission to join group 'Organization_1108'..

Quoting from this article:-

Client can connect to the service using a JWT token, the token payload can carry information such as the role of the client. When signing the JWT token to the client, you can grant permissions to the client by giving the client specific roles.

But when decoded the JWT token returned, it didn't carry any role information.(Can be seen above in decoded token)

Could anyone please help me in resolving this issue? What wrong I am doing while generating the access token for the client?

Answer 1

By adding the role Web PubSub Service Owner, the user can join groups in Azure Web PubSub.

POST https://login.microsoftonline.com/tenantId/oauth2/token
grant_type:client_credentials
client_id: appId
client_secret: secret 
resource: https://webpubsub.azure.com

https://<my-pubsub-instance>.webpubsub.azure.com/api/hubs/<hub_name>/:generateToken?userId=5753&roles=webpubsub.joinLeaveGroup&api-version=2021-10-01

-The below WebSocket client code for Azure Web PubSub has permissions to join or leave any group and publish messages to any group.

const WebSocket = require('ws');


// Replace these placeholders with your actual values
const WEBSOCKET_ENDPOINT = 'wss://test.webpubsub.azure.com/client';
const HUB_NAME = 'your_hub_name';
const ACCESS_TOKEN = 'your_access_token';


// Create WebSocket connection
const webSocket = new WebSocket(`${WEBSOCKET_ENDPOINT}/hubs/${HUB_NAME}?access_token=${ACCESS_TOKEN}`);


// Connection opened
webSocket.on('open', function (event) {
    console.log('WebSocket connection opened');
    
    // Example: join a specific group
    joinGroup('group1');
    
    // Example: send a message to a specific group
    sendMessageToGroup('group2', { message: 'Hello from the client!' });
});


// Listen for messages
webSocket.on('message', function (data) {
    console.log('Message from server:', data);
});


// Join a group
function joinGroup(groupName) {
    const joinGroupMessage = {
        type: 'joinGroup',
        group: groupName,
        ackId: Date.now(), // You can use any unique identifier here
    };
    webSocket.send(JSON.stringify(joinGroupMessage));
}


// Leave a group
function leaveGroup(groupName) {
    const leaveGroupMessage = {
        type: 'leaveGroup',
        group: groupName,
        ackId: Date.now(), // You can use any unique identifier here
    };
    webSocket.send(JSON.stringify(leaveGroupMessage));
}


// Send a message to a group
function sendMessageToGroup(groupName, message) {
    console.log('Sending message to group:', groupName);
    console.log('Message:', message);


    const sendMessageToGroupMessage = {
        type: 'sendToGroup',
        group: groupName,
        ackId: Date.now(), // You can use any unique identifier here
        dataType: 'json',
        data: message,
    };
    webSocket.send(JSON.stringify(sendMessageToGroupMessage));
}
 

Output: