Share via

401 unauthorised azure web pub sub for socket IO

Devender Singh 0 Reputation points
2025-03-09T08:21:25.37+00:00

I am creating a simple chat app using Azure web pub sub for SocketIO and asp.net core api.

The client(js) is hitting the api controller and using Azure SDK WebPubSubServiceClient the pub sub access url along with token is generated and returned to client.
When client use the same generated url and hit webpubsubHub it throws '401 unauthorised response
' and it says
Bearer error="invalid_token", error_description="The audience 'https://azurepubsubforsocketio.webpubsub.azure.com/client/hubs/Hub' is invalid"

while the hub name 'Hub' is matching in pub sub as well in backend.

my backend code that generates token:

_webPubSubServiceClient = new WebPubSubServiceClient(hubConnectionString, "Hub");
var url = _webPubSubServiceClient.GetClientAccessUri(userId: userId);

return Ok(new { url });

I tested my 'hubConnectionString' by directly using below code in backend:

var serviceClient = new WebPubSubServiceClient(connectionString, hubName);

// Test sending a message to all clients

serviceClient.SendToAll($"Test message");

Console.WriteLine($"Message sent successfully!");

-- And for above I am able to see the successful traces in pub sub.

now question is why it is not connecting via client while using the token generated by backend via WebPubSubServiceClient.

So looking for help to figure out where is the issue and what could be the solution.

Azure Web PubSub
Azure Web PubSub
An Azure service that provides real-time messaging for web applications using WebSockets and the publish-subscribe pattern.
86 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva Nair 735 Reputation points Microsoft External Staff
    2025-03-10T22:05:16.5333333+00:00

    Hi Devender Singh,

    In your code you’re generating the token with the hub name "Hub". When using Azure Web PubSub for Socket.IO, the service expects the token to be generated for the default Socket.IO hub (usually named socketio). That’s why the audience in your token is rejected.

    1. Update your token generation code to use the "socketio" hub instead of "Hub". For example: _webPubSubServiceClient = new WebPubSubServiceClient(hubConnectionString, "socketio"); var url = _webPubSubServiceClient.GetClientAccessUri(userId: userId); return Ok(new { url });.
    2. Ensure your client is connecting to the correct endpoint that aligns with the "socketio" hub.

    The JWT token includes an "audience" claim that tells the Web PubSub service which endpoint it’s intended for. When using Socket.IO with Azure Web PubSub, the expected audience is built around the "socketio" hub. A mismatch here results in the 401 unauthorized error you're seeing.

    https://learn.microsoft.com/en-us/azure/azure-web-pubsub/socketio-quickstart

    https://learn.microsoft.com/en-us/azure/azure-web-pubsub/socket-io-howto-integrate-apim

    If you have any further assistant, do let me know.

    If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.