Reputation: 193
Connect and pass Auth token to a SignalR hub with CORS enabled
I have three ASP.NET WebAPI endpoints:
- Identity server, which generates bearer tokens (serverA.com);
- SignalR server with hub (serverB.com);
- Some endpoint with a simple ASP.NET MVC view and SignalR JS client script (serverC.com).
All three servers use OAuth2 middleware as Auth mechanism. Microsoft.Owin.Cors is configured as well. Servers use only HTTPS requests. SignalR v2.2.0 is installed on serverB.com.
I can successfully make a cross-domain request from serverC.com to serverA.com to get bearer token, but, actually, I don't know how to pass auth token while connecting to serverB.com
There are two ways I found so far:
- Pass auth token as a query string (not secure);
Apply this setting to the jQuery.ajax
$.ajaxSetup({ beforeSend: function (xhr) { xhr.setRequestHeader('tokenKey', 'tokenValue'); }});
but it forces SignalR to use long polling only.
Is there any other way to send auth token (not in query string) so it can be consumed and validated by OAauth BearerAuthorizationProvider? Maybe, cookies, headers or any other way?
Update
CORS middleware set up for both environments to allow all data and accept credentials.
Here is my OWIN middleware:
var requestUri = context.Request.Uri.AbsolutePath;
if (string.Equals(requestUri, authRoute, StringComparison.OrdinalIgnoreCase))
{
if (!context.Request.Headers.ContainsKey("Authorization") || string.IsNullOrEmpty(context.Request.Headers["Authorization"]))
{
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
}
else
{
context.Response.Cookies.Append("BearerToken", context.Request.Headers["Authorization"]);
}
}
else
{
await Next.Invoke(context);
}
Then I do first Ajax request:
$.ajax({
url: self.communicationHubUrl + '/authenticate',
type: 'post',
cache: false,
crossDomain: true,
beforeSend: function(xhr) {
xhr.setRequestHeader('Authorization', self.accessToken);
});
middleware sets auth token from header to the response cookies.
Then I call hub.Start so SignalR begins to send ajax requests.
But for some reasons I don't quite understand, cookies are present in request only if I enable xhr.withCredentials = true for ALL ajax requests via $.ajaxSetup
$.ajaxSetup({
xhrFields: {
withCredentials: true
}
});
Without this setting request doesn't include cookies. On the other hand, I guess it's not a good decision to force all ajax requests to enable such settings.
Furthermore, I've faced strange behavior in Oauth middleware: ValidateIdentity method is not invoked when request from signalR comes so instead of 401 Unauthorized, I'm getting deafult principal.
Upvotes: 4
Views: 3180
Answers (1)
Reputation: 15234
I think that putting the auth token insied a cookie will be your best bet. Unlike the ajaxSetup option, cookies are sent with EventSource and WebSocket requests.
You might need to add some middleware to the SignalR server (serverB.com) that sets the appropriate cookie when you POST the auth token before starting the SignalR connection.
Upvotes: 1
Related Questions
- How to allow cors with signalr
- Signalr CORS issue
- Cross origin SignalR connection stops after negotiate
- CORS errors when deploying signalR notification Hub to IIS
- SignalR CORS error
- How to enable Cors in Signalr Azure Service
- CORS issue with SignalR 2.2 on Azure
- Asp.NET Web API and SignalR Cors
- Allow any user to access 'signalr/hubs' without credentials, using cors (server runs windows authentication)
- SignalR CORS error on request to Hub method