Azure Event Hubs: How to grant SAS tokens to Javascript publishers (running in browser)?

Question

I am building a website analytics solution based on Azure Event Hubs. I have Javascript code embedded in each web page that publishes events directly to an Event Hub via the Azure Event Hubs REST API.

The REST API requires that each call be authenticated via a SAS token. My questions is - Do I have to code up a server side endpoint that will provide my publishers with temporary tokens before they can start publishing?

Are there alternative approaches?

1. Does the REST API provide this "authenticate" end point out of the box? (couldn't find it here)
2. Or, how terrible, security wise would it be to have a token hard coded into the client-side code?
3. Or, technically feasible but security-wise much worse than option 2, Hard-code the Event Hub's Shared Access Key in the client-side code and use something like the (unofficial) Azure ServiceBus JavaScript SDK to generate the SAS token on the fly?

Answer 1

Event Hub REST api does not provide an authentication end point. You will have to code up the generation of SAS tokens per client (browser or device) on your server side (may be as part of your AuthN/Z routines?). Refer to RedDog.ServiceBus nuget package to generate SAS tokens for your Event Hub, per client. Also this article on IoT, explains authenticating against Event Hubs using the aforementioned package.

In my opinion, I would much rather do the above and rule out #2 and #3. They (2 & 3) leave the solution vulnerable and violate best practices.