Authentication of Websocket connection

[Zaixu]

As the title. How is this supposed to work with HotChocolate? I cant seem to wrap my head around it.
As websockets doesnt send headers. If the connection cant be stopped, data can be sniffed.

Am i missing something here? Seing as authorize attribute will only return unauthorized, as there is no bearer token. I could send a parameter in with websocket, but it looks to me hotchocolate is taking care of the whole connection in its middleware, where there is no auth handling.

`

[ExtendObjectType(Name = "Query")]
public class OrganizationQueries
{
    public IQueryable<OrganizationDTO> GetOrganizations([Service] IMapper mapper, [Service]DatabaseContext dbContext) {
        return mapper.ProjectTo<OrganizationDTO>(dbContext.Organizations);
    }
}

`

[PascalSenn]

Hi @Zaixu
HotChocolate itself does not do the authentication only the authorization
If you would like to do authenticate with a bearer token you can either pass it over the querystring of the websocket connection url or you use a message interceptor of HotChocolate and do the authentication yourself
If you use Apollo you can follow the guide here:
https://gist.github.com/PascalSenn/43fedfbc1bc96692d99263a9da2d9ac4

[Zaixu]

Hi @PascalSenn
Thanks that was exactly what i was looking for.
Any good ideas to handling expiring access token for WebSocket in HotChocolate? Not exactly sure how to deal with that.

[PascalSenn]

@Zaixu
As far as i know, there are two different cases to consider.
First one would the token expiries, then we would have to renew it whenever possible
Second one would be that the token is revoked from the identity provider

I think we would need to intercept every single message to achieve this. (Especially in the second case 😄 )

I am not even sure if such an interceptor even exists atm.
@michaelstaib any ideas?

[PetterRein]

I was working on adding subscription, and got user not authorized after implementing the code Pascal wrote.

To get things working with the Authorize attribute I had to add the changes I made in this commit: add ClaimsPrincipal to ContextData workaround websocket auth

I'am no expert at all but it looks like when using websocket the ClaimsPrincipal is not forwarded, is this on intention or a bug? @PascalSenn @michaelstaib

[promontis]

@PetterRein this one is related #1319

Also discussed at: dotnet/aspnetcore#2881

[PetterRein]

Thank you!

So this is a "problem" with aspnetcore itself and not HotChocolate, looks like I have to look into SingalR.

[promontis]

@PetterRein AFAIK SignalR has the same problem. But the code in your repo seems to works just fine. I will try and see if I can do a PR for your code to HC. Will make sure it is still configurable.

[Arsync]

@PetterRein

I had to add the changes I made in this commit

You save my weekend! But, we can do it easer with IHttpContextAccessor, no need for WebSocketContext

// The second parameter of the AddGraphQL method:
(IQueryExecutionBuilder builder) => builder
    .Use(next => async context =>
    {
        var hca = context.Services.GetRequiredService<IHttpContextAccessor>();

        context.ContextData["ClaimsPrincipal"] = hca.HttpContext.User;

        await next(context);
    })
    .UseDefaultPipeline()

[martinmesserli]

@michaelstaib @PascalSenn: What is the proper way of authentication/authorization for subscriptions in the GraphQL server? I could not find a complete example in the docs.
Hint: Our scenario includes Keycloak which issues JWT's and the sending GraphQL client is Apollo Angular.

[github-actions]

Stale issue message

[michaelstaib]

have a look at the gits of pascal:
https://gist.github.com/PascalSenn/43fedfbc1bc96692d99263a9da2d9ac4