SignalR and OpenId Connect

Asked 25/11, 2016 at 13:28 Answered 28/3, 2018 at 14:18

Solved asp.net-web-api asp.net-core oauth-2.0 openid openiddict

I have a server which uses ASP.NET Core Web Api and OpenIddict as authorization framework. Now I've added an SignalR host and want to add authorisation to it.

From different sources I found that SignalR (JS Client) wants that you send the access token in the querystring or by cookie as websockets don't support headers.

As the authentication middleware doesn't check the querystring or cookie container for an authorization entry I need to implement such an provider/retriever/resolver which reads this value by myself.

I've found a solution for IdentityServer but nothing about OpenIddict.

Where/How do I implement such an token resolver with OpenIddict?

Confucianism answered 25/11, 2016 at 13:28 Comment(1)

Is this what you're trying to do? It has two levels of middleware to accept both the query string and the header. – Priggery 3/3, 2017 at 0:40

If you use JwtBearerAuthentication then you can use OnMessageReceived to set token:

Events = new JwtBearerEvents()
{
   OnMessageReceived = async (ctx) =>
   {
        ctx.Token = ctx.Request.Query["<qs-name>"];
   }
}

Or if you use IdentityServerAuthentication then you can use TokenRetriever(not tested but it should be something like this):

   TokenRetriever = (ctx) =>
   {
        return ctx.Request.Query["<qs-name>"];
   }

Pop answered 25/11, 2016 at 13:50 Comment(0)

Just like @adem-caglin mentioned, in IdentityserverAuthentication you use TokenRetriever and can go with the built-in functions if what you're after is the standard bearer header or a query string

TokenRetriever = (request) => 
{
    // by default calls TokenRetrieval.FromAuthorizationHeader()(request);
    // check if request is to signalr endpoint and only then apply FromQueryString
    return TokenRetrieval.FromQueryString()(request);
}

Wanderjahr answered 28/3, 2018 at 14:18 Comment(0)

Recommended topics

Hot tags