A partir do sgcWebSockets 2026.1.0 Azure AMQP 1.0 suporta CBS Autenticação using SAS Tokens e JWT.
Azure Service Bus implements Claims-Based Security (CBS) over AMQP para authorize senders e receivers after o initial SASL handshake. O cliente opens um management link para o $cbs node e sends um put-token request containing either um Shared Access Signature (SAS) token ou um JSON Web Token (JWT) issued por Microsoft Entra ID. Once o broker validates o token, o autorização is cached para its lifetime e o application can proceed para criar sender e receiver links against queues, topics, ou inscrições.
Como funciona o Azure CBS
Azure Service Bus implements CBS over AMQP para authorize senders e receivers after o initial SASL handshake. O cliente opens um management link para o $cbs node e sends um put-token request containing either um SAS token ou um JWT issued por Microsoft Entra ID. Once o broker validates o token, o autorização is cached para its lifetime e o application can proceed para criar sender e receiver links against queues, topics, ou inscrições.
The AMQP1 client em sgcWebSockets 2026.1.0 automates this flow through two helper métodos that feel natural para desenvolvedores Delphi:
- CreateAzureCbsSasToken establishes um CBS sender/receiver link pair, generates um SAS token para o target entity, e publishes it para $cbs. Use it when authenticating com um shared access policy.
- CreateAzureCbsJWT follows o same CBS exchange but obtains um token de acesso um partir de Microsoft Entra ID (Azure AD) using o cliente-credentials grant before sending o JWT para $cbs.
Both métodos require um active AMQP conexão e accept os seguintes parâmetros:
- aName: Identifier para o CBS link pair created internally.
- aNameSpace e aEntityName: The Service Bus namespace (sem o .servicebus.windows.net suffix) e um fila, topic, ou inscrição path usado para build o token audience.
- aKeyName / aKeyValue: Shared access policy name e key para SAS tokens. The component signs o token e sends it using o token type servicebus.windows.net:sastoken.
- aTenant, aApplicationId, aSecret: Microsoft Entra (Azure AD) directory ID, application (client) ID, e client secret usado para request o JWT com o cliente credentials flow.
- aListeningPort (JWT): Local HTTP port para o OAuth 2.0 redirect (defaults para 8080 when not provided).
- aExpiration e aTimeout: Lifetime do issued token (in seconds) e o maximum wait time (in milliseconds) para o CBS negotiation.
- aRaiseIfError: When set para True, o método raises um exception if token acquisition ou o CBS response fails.
The following exemplos illustrate como autenticar com CBS before sending messages.
// ... create TCP client
oClient := TsgcWebSocketClient.Create(nil);
oClient.Specifications.RFC6455 := False;
oClient.Host := 'esegece.servicebus.windows.net';
oClient.Host := 'esegece.servicebus.windows.net';
oClient.Port := 5671;
oClient.TLS := True;
// ... create AMQP1 protocol client
oAMQP1 := TsgcWSClient_AMQP1.Create(nil);
oAMQP1.Specifications.RFC6455 := False;
oAMQP1.AMQPOptions.Authentication.AuthType := amqp1authSASLAnonymous;
oAMQP1.Client := oClient;
// ... connect and publish SAS token through CBS
oClient.Active := True;
// ... wait till the connection is active and send the authentication
oAMQP1.CreateAzureCbsSasToken('cbs', 'esegece', 'queue1',
'RootManageSharedAccessKey', 'BhJ78+w8kMXhS/eE/nBy0cRzodx9tipbi+ASbAXIaH8=',
3600, 10000, True);
The next exemplo focuses solely em Microsoft Entra ID (Azure AD) autenticação using JWTs. It shows como request um token com o cliente credentials flow e publish it para $cbs before creating links para enviar ou receber mensagens.
oClient := TsgcWebSocketClient.Create(nil);
oClient.Specifications.RFC6455 := False;
oClient.Host := 'esegece.servicebus.windows.net';
oClient.Host := 'esegece.servicebus.windows.net';
oClient.Port := 5671;
oClient.TLS := True;
// ... create AMQP1 protocol client
oAMQP1 := TsgcWSClient_AMQP1.Create(nil);
oAMQP1.Specifications.RFC6455 := False;
oAMQP1.AMQPOptions.Authentication.AuthType := amqp1authSASLAnonymous;
oAMQP1.Client := oClient;
// ... connect and publish JWT through CBS
oClient.Active := True;
// ... wait till the connection is active and send the authentication
oAMQP1.CreateAzureCbsJWT('cbs', 'esegece', 'queue1',
'00000000-0000-0000-0000-000000000000', // Tenant ID
'11111111-1111-1111-1111-111111111111', // Application ID
'client-secret', 8080, 3600, 10000, True);