https://{name}.service.signalr.net/api/v1/auth/accessKey not proxied with ServerEndpoint or ClientEndpoint properties

[ranjithsnair]

Describe the bug

We are currently using SignalR in default mode, and have set up a proxy endpoint for SignalR in API Management by following the instructions in this link: https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-howto-work-with-apim. Additionally, we have added an extra endpoint in API Management for ServerEndpoint Websocket connection, which has a custom policy to replace the current Authorization header with API Management managed identity access token. This means that you only need to add the API Management managed identity to the "SignalR App Server" role, and anyone can connect as a server using the API Management proxy. The server authentication is happening in the API Management policy only.

However, the issue we are facing now is that the SDK is calling https://{name}.service.signalr.net/api/v1/auth/accessKey directly, instead of using the ServerEndpoint or ClientEndpoint proxy. As a result, the solution is failing to negotiate client connection requests.

To Reproduce

Follow the instructions provided in this Microsoft Azure SignalR tutorial: https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-howto-work-with-apim.

Additionally, create a websocket API with a URL path of /server

AspNet Core Server Code:

services.AddSignalR(configure =>
{
    configure.EnableDetailedErrors = true;
})
.AddAzureSignalR(option =>
{
    option.Endpoints = new ServiceEndpoint[]
    {
         new ServiceEndpoint(new Uri("https://{name}.service.signalr.net"), new DefaultAzureCredential())
         {
              ClientEndpoint = new Uri("..."),
              ServerEndpoint = new Uri("..."),
         }
     };
});

....

app.UseEndpoints(endpoints =>
{
     endpoints.MapHub<MessageHub>("/messageHub");
});

Client Code:

_connectionBuilder = new HubConnectionBuilder();
_connection = _connectionBuilder
   .WithUrl("http://localhost:5000/messageHub")
   .WithAutomaticReconnect()
   .Build();

Run the server and client solutions and attempt to establish a connection.

We will close this issue if:

• Proxy https://{name}.service.signalr.net/api/v1/auth/accessKey using API Management ServerEndpoint or ClientEndpoint URL.
• /api/v1/auth/accessKey should append to full proxy URL not just base URL
• find any other solution to fix this issue

Exceptions (if any)

info: Microsoft.Azure.SignalR.AadAccessKey[3]
      Succeed in authorizing AccessKey for 'https://{name}.service.signalr.net/'
crit: Microsoft.Azure.SignalR.ServiceRouteHelper[1]
      Client negotiate failed: The given AzureAD identity don't have the permission to generate access token.
info: Microsoft.Azure.SignalR.AadAccessKey[3]
      Succeed in authorizing AccessKey for 'https://{name}.service.signalr.net/'
info: Microsoft.Azure.SignalR.AadAccessKey[3]
      Succeed in authorizing AccessKey for 'https://{name}.service.signalr.net/'

Further technical details

• <PackageReference Include="Microsoft.Azure.SignalR" Version="1.21.3" />
• <FrameworkReference Include="Microsoft.AspNetCore.App" />
• <PackageReference Include="Azure.Identity" Version="1.9.0" />
• <PackageReference Include="Microsoft.AspNetCore.SignalR.Client" Version="7.0.7" />