token provider

Author: terencefan

.gitignore

@@ -297,3 +297,6 @@ __pycache__/
 
 # docker
 .docker/
+
+# C# SDK version config
+global.json

src/Microsoft.Azure.SignalR.AspNet/EndpointProvider/ServiceEndpointProvider.cs

@@ -7,6 +7,8 @@
 using System.Security.Claims;
 using System.Text;
 using System.Threading.Tasks;
+using Microsoft.Azure.SignalR.Common.Endpoints;
+using Microsoft.Azure.SignalR.Common.Interfaces;
 
 namespace Microsoft.Azure.SignalR.AspNet
 {
@@ -59,23 +61,6 @@ public Task<string> GenerateClientAccessTokenAsync(string hubName = null, IEnume
             return _accessKey.GenerateAccessTokenAsync(audience, claims, lifetime ?? _accessTokenLifetime, _algorithm);
         }
 
-        public Task<string> GenerateServerAccessTokenAsync(string hubName, string userId, TimeSpan? lifetime = null)
-        {
-            if (_accessKey is AadAccessKey key)
-            {
-                return key.GenerateAadTokenAsync();
-            }
-
-            if (string.IsNullOrEmpty(hubName))
-            {
-                throw new ArgumentNullException(nameof(hubName));
-            }
-
-            var audience = $"{_audienceBaseUrl}{ServerPath}/?hub={GetPrefixedHubName(_appName, hubName)}";
-            var claims = userId != null ? new[] { new Claim(ClaimTypes.NameIdentifier, userId) } : null;
-            return _accessKey.GenerateAccessTokenAsync(audience, claims, lifetime ?? _accessTokenLifetime, _algorithm);
-        }
-
         public string GetClientEndpoint(string hubName = null, string originalPath = null, string queryString = null)
         {
             var queryBuilder = new StringBuilder();
@@ -110,6 +95,24 @@ public string GetServerEndpoint(string hubName)
             return $"{_serverEndpoint}{ServerPath}/?hub={GetPrefixedHubName(_appName, hubName)}";
         }
 
+        public IAccessTokenProvider GetAccessTokenProvider(string hubName, string serverId)
+        {
+            if (_accessKey is AadAccessKey aadAccessKey)
+            {
+                return new AadTokenProvider(aadAccessKey);
+            }
+            else if (_accessKey is not null)
+            {
+                var audience = $"{_audienceBaseUrl}{ServerPath}/?hub={GetPrefixedHubName(_appName, hubName)}";
+                var claims = serverId != null ? new[] { new Claim(ClaimTypes.NameIdentifier, serverId) } : null;
+                return new LocalTokenProvider(_accessKey, audience, claims, _algorithm, _accessTokenLifetime);
+            }
+            else
+            {
+                throw new ArgumentNullException(nameof(AccessKey));
+            }
+        }
+
         private string GetPrefixedHubName(string applicationName, string hubName)
         {
             return string.IsNullOrEmpty(applicationName) ? hubName.ToLower() : $"{applicationName.ToLower()}_{hubName.ToLower()}";

src/Microsoft.Azure.SignalR.Common/Endpoints/AadTokenProvider.cs

@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System;
+using System.Threading.Tasks;
+using Microsoft.Azure.SignalR.Common.Interfaces;
+
+namespace Microsoft.Azure.SignalR.Common.Endpoints
+{
+    internal class AadTokenProvider : IAccessTokenProvider
+    {
+        private readonly AadAccessKey _accessKey;
+
+        public AadTokenProvider(AadAccessKey accessKey)
+        {
+            _accessKey = accessKey ?? throw new ArgumentNullException(nameof(accessKey));
+        }
+
+        public Task<string> GenerateTokenAsync() => _accessKey.GenerateAadTokenAsync();
+    }
+}

src/Microsoft.Azure.SignalR.Common/Endpoints/LocalTokenProvider.cs

@@ -0,0 +1,40 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System;
+using System.Collections.Generic;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.Azure.SignalR.Common.Interfaces;
+
+namespace Microsoft.Azure.SignalR.Common.Endpoints
+{
+    internal class LocalTokenProvider : IAccessTokenProvider
+    {
+        private readonly AccessKey _accessKey;
+
+        private readonly AccessTokenAlgorithm _algorithm;
+
+        private readonly string _audience;
+
+        private readonly TimeSpan _tokenLifetime;
+
+        private readonly IEnumerable<Claim> _claims;
+
+        public LocalTokenProvider(
+            AccessKey accessKey,
+            string audience,
+            IEnumerable<Claim> claims,
+            AccessTokenAlgorithm? algorithm = null,
+            TimeSpan? tokenLifetime = null)
+        {
+            _accessKey = accessKey ?? throw new ArgumentNullException(nameof(accessKey));
+            _algorithm = algorithm ?? AccessTokenAlgorithm.HS256;
+            _audience = audience;
+            _claims = claims;
+            _tokenLifetime = tokenLifetime ?? Constants.Periods.DefaultAccessTokenLifetime;
+        }
+
+        public Task<string> GenerateTokenAsync() => _accessKey.GenerateAccessTokenAsync(_audience, _claims, _tokenLifetime, _algorithm);
+    }
+}

src/Microsoft.Azure.SignalR.Common/Exceptions/AzureSignalRUnauthorizedException.cs

@@ -2,7 +2,8 @@
 // Licensed under the MIT license. See LICENSE file in the project root for full license information.
 
 using System;
-using System.Runtime.Serialization;
+using Microsoft.Azure.SignalR.Common.Endpoints;
+using Microsoft.Azure.SignalR.Common.Interfaces;
 
 namespace Microsoft.Azure.SignalR.Common
 {
@@ -11,16 +12,23 @@ public class AzureSignalRUnauthorizedException : AzureSignalRException
     {
         private const string ErrorMessage = "Authorization failed. If you were using AccessKey, please check connection string and see if the AccessKey is correct. If you were using Azure Active Directory, please note that the role assignments will take up to 30 minutes to take effect if it was added recently.";
 
+        private const string ErrorMessageLocal = "Authorization failed. Please check your connection string and see if the AccessKey is correct.";
+
+        private const string ErrorMessageAad = "Authorization failed. Please check your role assignments and see if you have the `Signal App Server` or `SignalR Service Owner` role. Please also note that the role assignments will take up to 30 minutes to take effect.";
+
         public AzureSignalRUnauthorizedException(string requestUri, Exception innerException) : base(string.IsNullOrEmpty(requestUri) ? ErrorMessage : $"{ErrorMessage} Request Uri: {requestUri}", innerException)
         {
         }
 
-        internal AzureSignalRUnauthorizedException(Exception innerException) : base(ErrorMessage, innerException)
+        private AzureSignalRUnauthorizedException(Exception ex, string message) : base(message, ex)
         {
         }
 
-        protected AzureSignalRUnauthorizedException(SerializationInfo info, StreamingContext context) : base(info, context)
+        internal static AzureSignalRUnauthorizedException Wraps(IAccessTokenProvider provider, Exception innerException) => provider switch
         {
-        }
+            LocalTokenProvider => new AzureSignalRUnauthorizedException(innerException, ErrorMessageLocal),
+            AadTokenProvider => new AzureSignalRUnauthorizedException(innerException, ErrorMessageAad),
+            _ => throw new NotSupportedException(),
+        };
     }
 }

src/Microsoft.Azure.SignalR.Common/Exceptions/ExceptionExtensions.cs

@@ -5,7 +5,7 @@
 using System.Net;
 using System.Net.Http;
 using System.Net.WebSockets;
-
+using Microsoft.Azure.SignalR.Common.Interfaces;
 using Microsoft.Rest;
 
 namespace Microsoft.Azure.SignalR.Common
@@ -38,14 +38,14 @@ internal static Exception WrapAsAzureSignalRException(this Exception e, Uri base
             }
         }
 
-        internal static Exception WrapAsAzureSignalRException(this Exception e)
+        internal static Exception WrapAsAzureSignalRException(this Exception e, IAccessTokenProvider provider)
         {
             switch (e)
             {
                 case WebSocketException webSocketException:
                     if (e.Message.StartsWith("The server returned status code \"401\""))
                     {
-                        return new AzureSignalRUnauthorizedException(webSocketException);
+                        return AzureSignalRUnauthorizedException.Wraps(provider, webSocketException);
                     }
                     return e;
                 default: return e;

src/Microsoft.Azure.SignalR.Common/Interfaces/IAccessTokenProvider.cs

@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System.Threading.Tasks;
+
+namespace Microsoft.Azure.SignalR.Common.Interfaces
+{
+    public interface IAccessTokenProvider
+    {
+        Task<string> GenerateTokenAsync();
+    }
+}

src/Microsoft.Azure.SignalR.Common/Interfaces/IServiceEndpointProvider.cs

@@ -6,6 +6,7 @@
 using System.Net;
 using System.Security.Claims;
 using System.Threading.Tasks;
+using Microsoft.Azure.SignalR.Common.Interfaces;
 
 namespace Microsoft.Azure.SignalR
 {
@@ -15,7 +16,7 @@ internal interface IServiceEndpointProvider
 
         string GetClientEndpoint(string hubName, string originalPath, string queryString);
 
-        Task<string> GenerateServerAccessTokenAsync(string hubName, string userId, TimeSpan? lifetime = null);
+        IAccessTokenProvider GetAccessTokenProvider(string hubName, string serverId);
 
         string GetServerEndpoint(string hubName);
 

src/Microsoft.Azure.SignalR.Common/RestClients/SignalRServiceRestClient.cs

@@ -15,7 +15,10 @@ public partial class SignalRServiceRestClient
     {
         private readonly string _userAgent;
 
-        public SignalRServiceRestClient(string userAgent, ServiceClientCredentials credentials, HttpClient httpClient, bool disposeHttpClient) : this(credentials, httpClient, disposeHttpClient)
+        public SignalRServiceRestClient(string userAgent,
+                                        ServiceClientCredentials credentials,
+                                        HttpClient httpClient,
+                                        bool disposeHttpClient) : this(credentials, httpClient, disposeHttpClient)
         {
             if (string.IsNullOrWhiteSpace(userAgent))
             {

src/Microsoft.Azure.SignalR.Common/ServiceConnections/ConnectionFactory.cs

@@ -14,6 +14,7 @@ namespace Microsoft.Azure.SignalR
     internal class ConnectionFactory : IConnectionFactory
     {
         private readonly ILoggerFactory _loggerFactory;
+
         private readonly string _serverId;
 
         public ConnectionFactory(IServerNameProvider nameProvider, ILoggerFactory loggerFactory)
@@ -31,7 +32,9 @@ public async Task<ConnectionContext> ConnectAsync(HubServiceEndpoint hubServiceE
         {
             var provider = hubServiceEndpoint.Provider;
             var hubName = hubServiceEndpoint.Hub;
-            Task<string> accessTokenProvider() => provider.GenerateServerAccessTokenAsync(hubName, _serverId);
+
+            var accessTokenProvider = provider.GetAccessTokenProvider(hubName, _serverId);
+
             var url = GetServiceUrl(provider, hubName, connectionId, target);
 
             headers ??= new Dictionary<string, string>();
@@ -91,6 +94,7 @@ private Uri GetServiceUrl(IServiceEndpointProvider provider, string hubName, str
         private sealed class GracefulLoggerFactory : ILoggerFactory
         {
             private readonly ILoggerFactory _inner;
+
             public GracefulLoggerFactory(ILoggerFactory inner)
             {
                 _inner = inner;
@@ -115,6 +119,7 @@ public void AddProvider(ILoggerProvider provider)
             private sealed class GracefulLogger : ILogger
             {
                 private readonly ILogger _inner;
+
                 public GracefulLogger(ILogger inner)
                 {
                     _inner = inner;