fix

Author: Y-Sindo

articles/azure-web-pubsub/concept-client-protocols.md

@@ -233,6 +233,10 @@ let service = new WebPubSubServiceClient("<your_connection_string>", "test-hub")
 await service.grantPermission("<connection_id>", "joinLeaveGroup", { targetName: "group1" });
 ```
 
+> [!NOTE]
+> Wildcard roles (e.g., `webpubsub.sendToGroups.<pattern>`) are not supported in REST APIs or server SDKs during runtime yet. This feature will be supported in a future update.
+
+
 ## Next steps
 
 [!INCLUDE [next step](includes/include-next-step.md)]

articles/azure-web-pubsub/concept-wildcard-group-roles.md

@@ -40,12 +40,11 @@ Avoid over-broad patterns (like `**`) unless absolutely required; follow the pri
 | ------ | ------- |
 | `?` | Matches exactly one character except `/` |
 | `*` | Matches zero or more characters except `/` |
-| `**` | Matches zero or more characters including `/` (crosses path boundaries) |
+| `**` | Matches zero or more characters including `/` (crosses segment boundaries) |
 | `\` | Escape character for `\`, `*`, `?` |
+| `/` | acts as a segment separator and is never matched by `?` or `*` (only by `**`). |
 
 Additional rules:
-
-- `/` acts as a path separator and is never matched by `?` or `*` (only by `**`).
 - Use `**` sparingly; prefer narrower patterns (`clientA/*/chat`).
 - Up to five total `*` characters (including those forming `**`) are allowed in a single pattern.
 
@@ -76,8 +75,8 @@ const token = await serviceClient.getClientAccessToken({
   roles: [
     // Can send to all groups under clientA/
   'webpubsub.sendToGroups.clientA/**',
-    // Can join/leave any direct child group under clientA/public/
-  'webpubsub.joinLeaveGroups.clientA/public/*'
+    // Can join/leave any direct child group under public/
+  'webpubsub.joinLeaveGroups.public/*'
   ]
 });
 ```
@@ -86,26 +85,34 @@ const token = await serviceClient.getClientAccessToken({
 
 ```csharp
 var url = service.GetClientAccessUri(roles: new [] {
+    // Can send to all groups under clientA/
   "webpubsub.sendToGroups.clientA/**",
-  "webpubsub.joinLeaveGroups.clientA/public/*"
+    // Can join/leave any direct child group under public/
+  "webpubsub.joinLeaveGroups.public/*"
 });
 ```
 
 # [Python](#tab/python)
 
 ```python
 token = service.get_client_access_token(roles=[
+  # Can send to all groups under clientA/
   "webpubsub.sendToGroups.clientA/**",
-  "webpubsub.joinLeaveGroups.clientA/public/*"
+
+  # Can join/leave any direct child group under public/
+  "webpubsub.joinLeaveGroups.public/*"
 ])
 ```
 
 # [Java](#tab/java)
 
 ```java
 GetClientAccessTokenOptions opt = new GetClientAccessTokenOptions();
+// Can send to all groups under clientA/
 opt.addRole("webpubsub.sendToGroups.clientA/**");
-opt.addRole("webpubsub.joinLeaveGroups.clientA/public/*");
+
+// Can join/leave any direct child group under public/
+opt.addRole("webpubsub.joinLeaveGroups.public/*");
 WebPubSubClientAccessToken token = service.getClientAccessToken(opt);
 ```
 
@@ -118,6 +125,7 @@ WebPubSubClientAccessToken token = service.getClientAccessToken(opt);
 ## Frequently asked questions
 
 **Q: Can I mix literal and pattern roles?**
+
 Yes. A literal role always applies exactly; patterns add broader coverage.
 
 

articles/azure-web-pubsub/howto-generate-client-access-url.md

@@ -3,7 +3,7 @@ title: How to generate client access URL for  Azure Web PubSub clients
 description: How to generate client access URL for Azure Web PubSub clients.
 author: vicancy
 ms.author: lianwei
-ms.date: 09/06/2024
+ms.date: 10/17/2024
 ms.service: azure-web-pubsub
 ms.topic: how-to
 ---
@@ -40,66 +40,45 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
 
 2. Generate Client Access URL by calling `WebPubSubServiceClient.getClientAccessToken`:
 
-   - Generate client access token
-
-     ```js
-     // for web pubsub native clients
-     let token = await serviceClient.getClientAccessToken();
+    - Generate client access token
 
-     // for mqtt clients
-     let token = await serviceClient.getClientAccessToken({ clientProtocol: "mqtt" });
-     ```
-
-   - Configure user ID
+      ```js
+      // for web pubsub native clients
+      let token = await serviceClient.getClientAccessToken();
 
-     ```js
-     let token = await serviceClient.getClientAccessToken({ userId: "user1" });
-     ```
-
-   - Configure the lifetime of the token
-
-     ```js
-     let token = await serviceClient.getClientAccessToken({
-       expirationTimeInMinutes: 5,
-     });
-     ```
+      // for mqtt clients
+      let token = await serviceClient.getClientAccessToken({ clientProtocol: "mqtt" });
+      ```
 
-   - Configure a role that can join group `group1` directly when it connects using this Client Access URL
+    - Configure user ID
 
-     ```js
-     let token = await serviceClient.getClientAccessToken({
-       roles: ["webpubsub.joinLeaveGroup.group1"],
-     });
-     ```
+      ```js
+      let token = await serviceClient.getClientAccessToken({ userId: "user1" });
+      ```
 
-   - Configure a role that the client can send messages to group `group1` directly when it connects using this Client Access URL
+    - Configure the lifetime of the token
 
-     ```js
-     let token = await serviceClient.getClientAccessToken({
-       roles: ["webpubsub.sendToGroup.group1"],
-     });
-     ```
+      ```js
+      let token = await serviceClient.getClientAccessToken({
+        expirationTimeInMinutes: 5,
+      });
+      ```
 
-  - Configure pattern roles to cover many groups
+    - Configure role(s) of the client when it connects using this Client Access URL. For additional roles that can be assigned, refer to [Permissions](./concept-client-protocols.md#permissions).
 
-     ```js
-     let token = await serviceClient.getClientAccessToken({
-       roles: [
-         // send to any group under clientA/
-         "webpubsub.sendToGroups.clientA/**",
-         // join/leave any direct child of clientA/public/
-         "webpubsub.joinLeaveGroups.clientA/public/*"
-       ]
-     });
-     ```
+      ```js
+      let token = await serviceClient.getClientAccessToken({
+        roles: ["webpubsub.joinLeaveGroup.group1"], // This role allows the client to join and leave "group1"
+      });
+      ```
 
-   - Configure a group `group1` that the client joins once it connects using this Client Access URL
+    - Configure a group `group1` that the client joins once it connects using this Client Access URL
 
-     ```js
-     let token = await serviceClient.getClientAccessToken({
-       groups: ["group1"],
-     });
-     ```
+      ```js
+      let token = await serviceClient.getClientAccessToken({
+        groups: ["group1"],
+      });
+      ```
 
 # [C#](#tab/csharp)
 
@@ -129,24 +108,12 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
      var url = service.GetClientAccessUri(expiresAfter: TimeSpan.FromMinutes(5));
      ```
 
-   - Configure a role that can join group `group1` directly when it connects using this Client Access URL
+   - Configure roles assigned to the client when it connects using this Client Access URL. For additional roles that can be assigned, refer to [Permissions](./concept-client-protocols.md#permissions).
 
      ```csharp
-     var url = service.GetClientAccessUri(roles: new string[] { "webpubsub.joinLeaveGroup.group1" });
-     ```
-
-   - Configure a role that the client can send messages to group `group1` directly when it connects using this Client Access URL
-
-     ```csharp
-     var url = service.GetClientAccessUri(roles: new string[] { "webpubsub.sendToGroup.group1" });
-     ```
-
-  - Configure pattern roles to cover many groups
-
-     ```csharp
-     var url = service.GetClientAccessUri(roles: new [] {
-  "webpubsub.sendToGroups.clientA/**",
-  "webpubsub.joinLeaveGroups.clientA/public/*"
+     var url = service.GetClientAccessUri(roles: new string[] {
+       "webpubsub.joinLeaveGroup.group1", // This role allows the client to join and leave "group1"
+       "webpubsub.sendToGroup.group1" // This role allows the client to send messages to "group1"
      });
      ```
 
@@ -184,24 +151,12 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
      token = service.get_client_access_token(minutes_to_expire=5)
      ```
 
-   - Configure a role that can join group `group1` directly when it connects using this Client Access URL
-
-     ```python
-     token = service.get_client_access_token(roles=["webpubsub.joinLeaveGroup.group1"])
-     ```
-
-   - Configure a role that the client can send messages to group `group1` directly when it connects using this Client Access URL
-
-     ```python
-     token = service.get_client_access_token(roles=["webpubsub.sendToGroup.group1"])
-     ```
-
-  - Configure pattern roles to cover many groups
+   - Configure roles assigned to the client when it connects using this Client Access URL. For additional roles that can be assigned, refer to [Permissions](./concept-client-protocols.md#permissions).
 
      ```python
      token = service.get_client_access_token(roles=[
-  "webpubsub.sendToGroups.clientA/**",
-  "webpubsub.joinLeaveGroups.clientA/public/*"
+       "webpubsub.joinLeaveGroup.group1", # This role allows the client to join and leave "group1"
+       "webpubsub.sendToGroup.group1" # This role allows the client to send messages to "group1"
      ])
      ```
 
@@ -248,28 +203,12 @@ The same Client Access URL can be generated by using the Web PubSub server SDK.
      WebPubSubClientAccessToken token = service.getClientAccessToken(option);
      ```
 
-   - Configure a role that can join group `group1` directly when it connects using this Client Access URL
-
-     ```java
-     GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
-     option.addRole("webpubsub.joinLeaveGroup.group1");
-     WebPubSubClientAccessToken token = service.getClientAccessToken(option);
-     ```
-
-   - Configure a role that the client can send messages to group `group1` directly when it connects using this Client Access URL
-
-     ```java
-     GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
-     option.addRole("webpubsub.sendToGroup.group1");
-     WebPubSubClientAccessToken token = service.getClientAccessToken(option);
-     ```
-
-  - Configure pattern roles to cover many groups
+   - Configure roles assigned to the client when it connects using this Client Access URL. For additional roles that can be assigned, refer to [Permissions](./concept-client-protocols.md#permissions).
 
      ```java
      GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();
-  option.addRole("webpubsub.sendToGroups.clientA/**");
-  option.addRole("webpubsub.joinLeaveGroups.clientA/public/*");
+     option.addRole("webpubsub.joinLeaveGroup.group1"); // This role allows the client to join and leave "group1"
+     option.addRole("webpubsub.sendToGroup.group1"); // This role allows the client to send messages to "group1"
      WebPubSubClientAccessToken token = service.getClientAccessToken(option);
      ```
 
@@ -357,5 +296,3 @@ You could also use Microsoft Entra ID and generate the token by invoking [Genera
     }
     ```
 
-> [!TIP]
-> See [Wildcard group role patterns](concept-wildcard-group-roles.md) for syntax, escaping, and security guidance.

articles/azure-web-pubsub/includes/reference-permission.md

@@ -20,4 +20,7 @@ A PubSub WebSocket client can only publish to other clients when it's authorized
 | `webpubsub.joinLeaveGroups.<pattern>` | The client can join/leave any group whose name matches `<pattern>` (see [Wildcard group role patterns](../concept-wildcard-group-roles.md)).
 | `webpubsub.sendToGroups.<pattern>` | The client can publish messages to any group whose name matches `<pattern>` (see [Wildcard group role patterns](../concept-wildcard-group-roles.md)).
 
-The server can dynamically grant or revoke client permissions through REST APIs or server SDKs.
+The server can dynamically grant or revoke client permissions through REST APIs or server SDKs.
+
+> [!NOTE]
+> Wildcard roles (e.g., `webpubsub.sendToGroups.<pattern>`) are not supported in REST APIs or server SDKs during runtime yet.