Service Bus authentication and authorization

Applications gain access to Azure Service Bus functions using Shared Access Signature (SAS) token authentication. With SAS, applications present a token to Service Bus that has been signed with a symmetric key known both to the token issuer and Service Bus ("shared") and that key is directly associated with a rule granting specific access rights, like the permission to receive/listen or send messages. SAS rules are either configured on the namespace, or directly on entities like a queue or topic, allowing for fine grained access control.

SAS tokens can either be generated by a Service Bus client directly, or they can be generated by some intermediate token issuing endpoint that the client interacts with. For example, a system may require the client to call an Active Directory authorization protected web service endpoint to prove its identity and system access rights, and the web service will then return the appropriate Service Bus token. This SAS token can be easily generated using the Service Bus token provider included in the SDK.

Important

If you are using Azure Active Directory Access Control (also known as Access Control Service or ACS) in conjunction with Service Bus, note that the support for this method is now limited and you should migrate your application to using SAS. For more information, see this blog post.

Shared Access Signature authentication

SAS authentication enables you to grant a user access to Service Bus resources with specific rights. SAS authentication in Service Bus involves the configuration of a cryptographic key with associated rights on a Service Bus resource. Clients can then gain access to that resource by presenting a SAS token, which consists of the resource URI being accessed and an expiry signed with the configured key.

You can configure keys for SAS on a Service Bus namespace. The key applies to all messaging entities in that namespace. You can also configure keys on Service Bus queues and topics. SAS is also supported on Azure Relay.

To use SAS, you can configure a SharedAccessAuthorizationRule object on a namespace, queue, or topic. This rule consists of the following elements:

  • KeyName that identifies the rule.
  • PrimaryKey is a cryptographic key used to sign/validate SAS tokens.
  • SecondaryKey is a cryptographic key used to sign/validate SAS tokens.
  • Rights representing the collection of Listen, Send, or Manage rights granted.

Authorization rules configured at the namespace level can grant access to all entities in a namespace for clients with tokens signed using the corresponding key. Up to 12 such authorization rules can be configured on a Service Bus namespace, queue, or topic. By default, a SharedAccessAuthorizationRule with all rights is configured for every namespace when it is first provisioned.

To access an entity, the client requires a SAS token generated using a specific SharedAccessAuthorizationRule. The SAS token is generated using the HMAC-SHA256 of a resource string that consists of the resource URI to which access is claimed, and an expiry with a cryptographic key associated with the authorization rule.

SAS authentication support for Service Bus is included in the Azure .NET SDK versions 2.0 and later. SAS includes support for a SharedAccessAuthorizationRule. All APIs that accept a connection string as a parameter include support for SAS connection strings.

Next steps