Reputation: 6186
SignalR supplying authorization token
I'm struggling to decide how best to add authentication and authorisation to my SignalR service.
At the moment it is hosted in Owin alongside a WebApi2 web service. I use OAuth2 bearer tokens to authenticate with those, and it works perfectly. However, I wonder if they're suitable for SignalR?
My client is JavaScript based, and SignalR uses WebSockets if available. This means I can't use the Authorization header. I figured out that I can supply the token using the qs property before I connect. But of course an OAuth2 access token will expire (and relatively shortly in my implementation). I assume that updating the qs property won't make a difference once connected (particularly with web sockets).
I suppose my question is what is the best way to supply a security token, ticket, or any kind of authorization information to SignalR? Preferably a way that can be consistent on both my WebApi and SignalR, but I am looking to know how I should be doing it.
Thanks
Upvotes: 8
Views: 1796
Answers (1)
Reputation: 1150
It's been sometime now - but we used to look for the auth cookie in the signalR request to ensure that only a signed in user can subscribe to signalr notifications.
It didn't handle the case where the token expired - since the cookie was checked only on connect. This wasn't a problem for us.
Upvotes: 1
Related Questions
- Passing token through http Headers SignalR
- Signalr User never shows authenticated
- Authorization for all hubs by default in SignalR Core
- ASP.NET Core 2.0 Signalr pass data from authorization requirement to hub
- How to authorize SignalR Core Hub method with JWT
- SignalR AuthorizeHubConnection
- Authenticate SignalR Hub using ServiceStack Authentication Plugin
- Unable to Identify User Context in SignalR hub decorated with "Authorize" attribute
- Authorization in SignalR 2.0
- Implementing Authorization in a Self Hosted SignalR Server accessed from Web