Azure AMQP Service Bus CBS Authentication

How Azure CBS Works

Azure Service Bus implements CBS over AMQP to authorize senders and receivers after the initial SASL handshake. The client opens a management link to the $cbs node and sends a put-token request containing either a SAS token or a JWT issued by Microsoft Entra ID. Once the broker validates the token, the authorization is cached for its lifetime and the application can proceed to create sender and receiver links against queues, topics, or subscriptions.

The AMQP1 client in sgcWebSockets 2026.1.0 automates this flow through two helper methods that feel natural to Delphi developers:

• CreateAzureCbsSasToken establishes a CBS sender/receiver link pair, generates a SAS token for the target entity, and publishes it to $cbs. Use it when authenticating with a shared access policy.
• CreateAzureCbsJWT follows the same CBS exchange but obtains an access token from Microsoft Entra ID (Azure AD) using the client-credentials grant before sending the JWT to $cbs. 

Both methods require an active AMQP connection and accept the following parameters:

• aName: Identifier for the CBS link pair created internally.
• aNameSpace and aEntityName: The Service Bus namespace (without the .servicebus.windows.net suffix) and the queue, topic, or subscription path used to build the token audience.
• aKeyName / aKeyValue: Shared access policy name and key for SAS tokens. The component signs the token and sends it using the token type servicebus.windows.net:sastoken.
• aTenant, aApplicationId, aSecret: Microsoft Entra (Azure AD) directory ID, application (client) ID, and client secret used to request the JWT with the client credentials flow.
• aListeningPort (JWT): Local HTTP port for the OAuth 2.0 redirect (defaults to 8080 when not provided).
• aExpiration and aTimeout: Lifetime of the issued token (in seconds) and the maximum wait time (in milliseconds) for the CBS negotiation.
• aRaiseIfError: When set to True, the method raises an exception if token acquisition or the CBS response fails.
• 
  

The following examples illustrate how to authenticate with CBS before sending messages.

// ... create TCP client
oClient := TsgcWebSocketClient.Create(nil);
oClient.Specifications.RFC6455 := False;
oClient.Host := 'esegece.servicebus.windows.net';
oClient.Host := 'esegece.servicebus.windows.net';
oClient.Port := 5671;
oClient.TLS := True;
// ... create AMQP1 protocol client
oAMQP1 := TsgcWSClient_AMQP1.Create(nil);
oAMQP1.Specifications.RFC6455 := False;
oAMQP1.AMQPOptions.Authentication.AuthType := amqp1authSASLAnonymous;
oAMQP1.Client := oClient;
// ... connect and publish SAS token through CBS
oClient.Active := True;
// ... wait till the connection is active and send the authentication
oAMQP1.CreateAzureCbsSasToken('cbs', 'esegece', 'queue1',
  'RootManageSharedAccessKey', 'BhJ78+w8kMXhS/eE/nBy0cRzodx9tipbi+ASbAXIaH8=',
  3600, 10000, True);
 

The next example focuses solely on Microsoft Entra ID (Azure AD) authentication using JWTs. It shows how to request a token with the client credentials flow and publish it to $cbs before creating links to send or receive messages. 

oClient := TsgcWebSocketClient.Create(nil);
oClient.Specifications.RFC6455 := False;
oClient.Host := 'esegece.servicebus.windows.net';
oClient.Host := 'esegece.servicebus.windows.net';
oClient.Port := 5671;
oClient.TLS := True;
// ... create AMQP1 protocol client
oAMQP1 := TsgcWSClient_AMQP1.Create(nil);
oAMQP1.Specifications.RFC6455 := False;
oAMQP1.AMQPOptions.Authentication.AuthType := amqp1authSASLAnonymous;
oAMQP1.Client := oClient;
// ... connect and publish JWT through CBS
oClient.Active := True;
// ... wait till the connection is active and send the authentication
oAMQP1.CreateAzureCbsJWT('cbs', 'esegece', 'queue1',
  '00000000-0000-0000-0000-000000000000', // Tenant ID
  '11111111-1111-1111-1111-111111111111', // Application ID
  'client-secret', 8080, 3600, 10000, True);