Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JWT authentication in SignalR (.NET Core) without passing token in Query String

I am using JWT authentication tokens in an ASP .NET Core Web API application. The tokens are generated by the API itself, not by a third party. I added SignalR sucessfully to the stack, but now I need to authenticate the users that are trying to execute server (Hub) methods. Someone suggested to pass the token in the "qs" property in JavaScript. This will not work for me as our tokens are really large (they contain lots of claims). I tried writing a custom middleware for reading the token from the payload and auto-authenticating the user. The problem is that, when using WebSockets, the middleware is not executed. Any ideas will help.

like image 663
Alin Florin Avatar asked Dec 16 '16 22:12

Alin Florin


People also ask

Does SignalR require sticky session?

SignalR requires that all HTTP requests for a specific connection be handled by the same server process. When SignalR is running on a server farm (multiple servers), "sticky sessions" must be used. "Sticky sessions" are also called session affinity by some load balancers.

How do I send client specific messages using SignalR?

We change the BroadcastChartData() method to accept connectionId as an additional parameter. This way, we can find the client using the connectionId and send a message just to that client. Additionally, we add a new GetConnectionId() method, which returns the connectionId of the client.


1 Answers

Have a look at article that suggests to use query string Authenticate against a ASP.NET Core 1.0 (vNext) SignalR application using JWT. I know that your token is too long, but author explains how to use middleware to authenticate the request.

Here is the summary from the article:

  • SignalR does not have any special authentication mechanism built in, it is using the standard ASP.NET authentication.
  • JWT is typically sent in the Authorization header of a request
  • The SignalR JavaScript client library does not include the means to send headers in the requests, it does however allow you to pass a query string
  • If we pass the token in the query string we can write a middleware that adds a authorization header with the token as its value. This must be done before the Jwt middleware in the pipeline
  • Be aware of the “Bearer ” format

I have highlighted the key point that your custom middleware should be registered before Jwt middleware.

From this answer you can create a WebSocket connection and pass your token as basic auth parameter:

var ws = new WebSocket($"ws://{token}@example.com/service");
like image 197
Andrii Litvinov Avatar answered Oct 18 '22 16:10

Andrii Litvinov