-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.NET Core WebSockets - Token Authorization #2881
Comments
Yes, you can use bearer token auth with WebSocket requests. Are you asking for client or server code samples? On the server you configure JwtBearer normally. See Where would you be consuming the WebSocket? In an MVC controller? In that case you want to add the |
If you're using the browser client you cannot set headers. This means the defaults won't just work. You have to send it in the query string and get it on the server like this https://github.com/aspnet/SignalR/blob/4394b57143ad0517333ffbe88848fbb68264a614/samples/JwtSample/Startup.cs#L53-L60. |
You shouldn’t ever be sending tokens in the query string, they can be logged client side, server side, and by any proxies in the way. It’s simply not secure. @davidfowl is there no way to set the authorization header for signalr requests? If not there needs to be. |
Unfortunately, it's nothing to do with SignalR, it's a browser limitation. Alternatively, you can do something custom with the websocket connection itself (sending the JWT with a custom websocket message), but then you won't be able to use the JWT auth handler as is. The way it would work in that world is that you would send the JWT Token over the websocket with some custom format, parse it on the server side, then store it in HttpContext.Items. From there, you should be able to call options.Events = new JwtBearerEvents
{
OnMessageReceived = context =>
{
var jwtToken = context.Items["jwtToken"];
if (!string.IsNullOrEmpty(jwtToken) && context.HttpContext.WebSockets.IsWebSocketRequest)
{
context.Token = jwtToken;
}
return Task.CompletedTask;
}
}; There are other issues with authentication over websockets like the token expiring. Since this only happens once, you'll need some way to get a new token or disconnect the client when the token is expired. |
In the past I've done this by implementing a custom ajax endpoint that accepts the access token, and then in turn issues a custom cookie that's only meant for the web sockets connection. That way 1) you have more control over cookie sliding, 2) avoid access token expiration issues since you're now managing the cookie expiration/sliding, 3) then when reconnects happen the cookie is auto-resent, and 4) no manual passing of tokens and leaking into logs. |
Closing because it looks like this discussion has concluded. |
@davidfowl thanks for this, I was able to authorize by sending token from the client as:
and getting token like this:
However, now the browser expects response and throws an error:
So in my
But this time I get: and at the backend I get:
Any idea? |
Never mind :-)
|
@kedzior-io Found this page when googling, and your comments were a great help. I realise that this is all a bit hacky, but here's what I had to when using the RxJs webSocket wrapper. In the client:
On the server:
|
Hi,
.NET Core WebSockets support token jwt authentication ? Have example to configure ?
Thank you,
The text was updated successfully, but these errors were encountered: