I’m trying to upgrade from NServiceBus.Transport.AzureServiceBus version 1.x to version 2.x in my NServiceBus.Router project.
Due to restrictions, I was using a CustomTokenProvider that used separate connection strings per queue, so the application wouldn’t need to connection string that provides access to the entire service bus namespace. This was because my client considered it a security risk if the application had access to the entire namespace
Code snippet for my previous custom token provider:
internal class SasKeyPerEntityPathTokenProvider : ITokenProvider
{
private readonly IDictionary<string, ITokenProvider> tokenProviders;
// [...]
public async Task<SecurityToken> GetTokenAsync(string appliesTo, TimeSpan timeout)
{
bool found = TryGetTokenProvider(appliesTo, out var tokenProvider);
if (!found)
{
if (appliesTo.Contains("$nservicebus-verification-queue"))
{
// NServiceBus requests tokens for this for some reason. It doesn't need it though, so ignore it.
return await tokenProviders.Values.First().GetTokenAsync(appliesTo, timeout);
}
throw new Exception($"No token provider found for {appliesTo}.");
}
return await tokenProvider.GetTokenAsync(appliesTo, timeout);
}
// [...]
}
I’m trying to reproduce this behavior using the new TokenCredential-based authentication and CustomTokenCredential
router.AddInterface<AzureServiceBusTransport>(InterfaceNameAzureServiceBus, t =>
{
t.ConnectionString(myConnectionString);
t.TopicName(routingConfig.AzureServiceBusEndpoint.TopicName);
t.CustomTokenCredential(new MyCustomTokenCredential(routingConfig.AzureServiceBusEndpoint.ConnectionStrings));
});
However, it seems that the TokenRequestContext passed to TokenCredential.GetTokenAsync does not contain any information about which EntityPath the application is trying to get an AccessToken for, similar to the appliesTo parameter in the earlier code snippet.
Does anybody still know a way for me to avoid having to use SAS tokens at the namespace level?