Connection | Azure MessageBus

AMQP (Advanced Message Queuing Protocol) is a robust messaging system designed to facilitate communication between diverse containers across various nodes. It standardizes both the protocol for transmitting messages and the structural framework of the messages themselves, ensuring consistent and reliable communication. To dive deeper into the fundamentals of AMQP, refer to our Getting Started with AMQP guide.

 

The AMQP component within the eSeGeCe library enables seamless integration with leading cloud messaging brokers, including Amazon MQ and Azure Service Bus. This guide focuses on using the AMQP component to connect with Azure Service Bus, demonstrating how to build a multi-tenant application capable of sending and receiving messages efficiently.

 

The component offers a comprehensive implementation with support for key features such as queues, topics, and subscriptions, making it an ideal choice for modern IoT and enterprise applications.

 

Azure Configuration

To begin, create a Service Bus resource within the Azure Portal. Once the resource is established, make sure to take note of the resource's domain name, as it will be essential for integration and configuration.

 

After the namespace has been successfully created, you can manage and monitor it directly from the namespace overview in the Azure Portal. This centralized interface provides access to key management tools and settings, enabling seamless administration of your Service Bus resource.

 

When using SAS Authentication, the username is the SAS Policy name and the password is the primary or secondary key.

 

// ... create tcp client
oClient := TsgcWebSocketClient.Create(nil);
oClient.Specifications.RFC6455 := False;
oClient.Host := 'esegece.servicebus.windows.net';
oClient.Port := 5671;
oClient.TLS := True;
// ... create amqp1 protocol client
oAMQP1 := TsgcWSClient_AMQP1.Create(nil);
oAMQP1.Specifications.RFC6455 := False;
oAMQP1.AMQPOptions.Authentication.AuthType := amqp1authSASLPlain;
oAMQP1.AMQPOptions.Authentication.Username := 'RootManageSharedAccessKey';
oAMQP1.AMQPOptions.Authentication.Password := 'BhJ78+w8kMXhS/eE/nBy0cRzodx9tipbi+ASbAXIaH8=';
oAMQP1.Client := oClient;
// ... connect to the server
oClient.Active := True;

 

Azure CBS Authentication

Azure Service Bus implements Claims-Based Security (CBS) over AMQP to authorize senders and receivers after the initial SASL handshake. The client opens a management link to the $cbs node and sends a put-token request containing either a Shared Access Signature (SAS) token or a JSON Web Token (JWT) issued by Microsoft Entra ID. Once the broker validates the token, the authorization is cached for its lifetime and the application can proceed to create sender and receiver links against queues, topics, or subscriptions.

 

The AMQP1 client automates this flow through two helper methods:

 

• CreateAzureCbsSasToken establishes a CBS sender/receiver link pair, generates a SAS token for the target entity, and publishes it to $cbs. Use it when authenticating with a shared access policy.

 

• CreateAzureCbsJWT follows the same CBS exchange but obtains an access token from Microsoft Entra ID (Azure AD) using the client-credentials grant before sending the JWT to $cbs.

 

Both methods require an active AMQP connection and accept the following parameters:

 

• aName: Identifier for the CBS link pair created internally.
• aNameSpace and aEntityName: The Service Bus namespace (without the .servicebus.windows.net suffix) and the queue, topic, or subscription path used to build the token audience.
• aKeyName / aKeyValue: Shared access policy name and key for SAS tokens. The component signs the token and sends it using the token type servicebus.windows.net:sastoken.
• aTenant, aApplicationId, aSecret: Microsoft Entra (Azure AD) directory ID, application (client) ID, and client secret used to request the JWT with the client credentials flow.
• aListeningPort (JWT): Local HTTP port for the OAuth 2.0 redirect (defaults to 8080 when not provided).
• aExpiration and aTimeout: Lifetime of the issued token (in seconds) and the maximum wait time (in milliseconds) for the CBS negotiation.
• aRaiseIfError: When set to True, the method raises an exception if token acquisition or the CBS response fails.

 

The following examples illustrate how to authenticate with CBS before sending messages.

// ... create TCP client
oClient := TsgcWebSocketClient.Create(nil);
oClient.Specifications.RFC6455 := False;
oClient.Host := 'esegece.servicebus.windows.net';
oClient.Port := 5671;
oClient.TLS := True;
// ... create AMQP1 protocol client
oAMQP1 := TsgcWSClient_AMQP1.Create(nil);
oAMQP1.Specifications.RFC6455 := False;
oAMQP1.AMQPOptions.Authentication.AuthType := amqp1authSASLAnonymous;
oAMQP1.Client := oClient;
// ... connect and publish SAS token through CBS
oClient.Active := True;
// wait the client is connected
oAMQP1.CreateAzureCbsSasToken('cbs', 'esegece', 'queue1',
  'RootManageSharedAccessKey', 'BhJ78+w8kMXhS/eE/nBy0cRzodx9tipbi+ASbAXIaH8=',
  3600, 10000, True);

 

The next example focuses solely on Microsoft Entra ID (Azure AD) authentication using JWTs. It shows how to request a token with the client credentials flow and publish it to $cbs before creating links to send or receive messages.

// ... create TCP client
oClient := TsgcWebSocketClient.Create(nil);
oClient.Specifications.RFC6455 := False;
oClient.Host := 'esegece.servicebus.windows.net';
oClient.Port := 5671;
oClient.TLS := True;
// ... create AMQP1 protocol client
oAMQP1 := TsgcWSClient_AMQP1.Create(nil);
oAMQP1.Specifications.RFC6455 := False;
oAMQP1.AMQPOptions.Authentication.AuthType := amqp1authSASLAnonymous;
oAMQP1.Client := oClient;
// ... connect and publish JWT through CBS
oClient.Active := True;
// wait the client is connected
oAMQP1.CreateAzureCbsJWT('cbs', 'esegece', 'queue1',
  '00000000-0000-0000-0000-000000000000', // Tenant ID
  '11111111-1111-1111-1111-111111111111', // Application ID
  'client-secret', 8080, 3600, 10000, True);