Pass the same token used for authenticating WebAPI calls as a query string/or store it in a cookie for SignalR , then create a provider that somehow unwraps and expands the token into identity. I followed this blog post but I seem to be missing something.
Again pass the token as a query string /or as a cookie, but this time create a custom Authorize Attribute
to Authorize SignalR hubs or methods. Again a blog post about this.The problem with this solution was in Unprotect method on the token.
The final and the easiest solution is to also enable cookie authentication , keep using bearer token authentication
for WebAPI calls and let the OWIN Middleware authorize calls on the hubs. (this solution actually works).
Now, the issue is that using the default template for a WebAPI
application with Individual User Accounts
(so with token authentication), whenever I send an AJAX
request to the API it also sends the cookie.
publicpartialclassStartup{publicstaticOAuthAuthorizationServerOptionsOAuthOptions{get;privateset;}publicstaticstringPublicClientId{get;privateset;}// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864publicvoidConfigureAuth(IAppBuilder app){// Configure the db context and user manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.UseCookieAuthentication(newCookieAuthenticationOptions());PublicClientId="self";OAuthOptions=newOAuthAuthorizationServerOptions{TokenEndpointPath=newPathString("/Token"),Provider=newApplicationOAuthProvider(PublicClientId),AuthorizeEndpointPath=newPathString("/api/Account/ExternalLogin"),AccessTokenExpireTimeSpan=TimeSpan.FromDays(14),AllowInsecureHttp=true};
app.UseOAuthBearerTokens(OAuthOptions);}}publicstaticclassWebApiConfig{publicstaticvoidRegister(HttpConfiguration config){// Web API configuration and services// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add(newHostAuthenticationFilter(OAuthDefaults.AuthenticationType));// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name:"DefaultApi",
routeTemplate:"api/{controller}/{id}",
defaults:new{ id =RouteParameter.Optional});}}
Thank you for your post. According to your description, I suggest you use cookie to store authentication token. On server side, you could use customized authorization if you need to customize how authorization is determined.
[AttributeUsage(AttributeTargets.Class, Inherited = false, AllowMultiple = false)]
public class AuthorizeClaimsAttribute : AuthorizeAttribute
{
}
None
0 Points
3 Posts
WebAPI & SignalR-Token Authentication - Authorizing SignalR Hubs
Sep 07, 2015 09:40 AM|The_Doctor|LINK
I have a WebAPI
solution and I use token authentication
, so the flow is the following:
Now SignalR comes into play. Since it uses WebSockets, you are not able to pass a header. Searching for a solution, I've come across the following:
- not an option since it forces SignalR to use longPolling
Pass the same token used for authenticating WebAPI calls as a query string/or store it in a cookie for SignalR , then create a provider that somehow unwraps and expands the token into identity. I followed this blog post but I seem to be missing something.
Again pass the token as a query string /or as a cookie, but this time create a custom Authorize Attribute
to Authorize SignalR hubs or methods. Again a blog post about this.The problem with this solution was in Unprotect method on the token.
The final and the easiest solution is to also enable cookie authentication , keep using bearer token authentication
for WebAPI calls and let the OWIN Middleware authorize calls on the hubs. (this solution actually works).
Now, the issue is that using the default template for a WebAPI
application with Individual User Accounts
(so with token authentication), whenever I send an AJAX
request to the API it also sends the cookie.
Even if I did this:
Do you see an easier way of authenticating SignalR
with token authentication? Is this final approach (if I manage to suppress the sending of the cookie with requests) viable in production?
(Also posted on Stack Overflow)
authentication asp webapi signalr Owin
Star
9860 Points
974 Posts
Microsoft
Re: WebAPI & SignalR-Token Authentication - Authorizing SignalR Hubs
Sep 08, 2015 02:08 AM|Li Wang|LINK
Hi The_Doctor,
Thank you for your post. According to your description, I suggest you use cookie to store authentication token. On server side, you could use customized authorization if you need to customize how authorization is determined.
Best Regards,
Wang Li