I'm using a signalR hub to handle server requests from a DNN portal. What is the best way to authenticate a client request from signalr in DNN? Is it possible to do this in a manner similar to the how the DNN implementation of WebAPI uses the services framework or is there another approach?
Related
Our project is using SignalR over ASP.NET OWIN (full framework), and clients are mobile apps based on Xamarin. Authentication is done based on JWT. It is needed that we protect SignalR hubs against anonymous access, then find out user name of the connection.
Is it possible to SignalR to work with JWT? If yes, how?
SignalR's own protection is based on cookies not JWT. Also we can't afford to use query strings to pass the token due to deployment that is not HTTPS.
I am new to Identitysever3 but I have worked with OAuth and OpenId.
I need to create a MVC client that will interact with QBO (Quickbooks Online). QBO uses OAuth by it's own.To start with I followed the github sample project from QBO community to use QBO REST API. This MVC app has OAuth stuff in MVC controller.
Now I need to create actual MVC project that will interact with QBO. I am after best practices to authorize my project. Here my authorize server would be QBO. So is my app is the right candidate to use Identityserver3?
My understanding is that I need to add Identityserver 3 project in my solution and use authorize server URI, client Id and client secret provided by QBO.
I assume Identityserver 3 is a framework that is the best way to use OAuth and OpenID connect as a separate project so it can be reused in other solutions. AND it's not an Authorization server, am I correct?
waiting for help please.
I assume Identityserver 3 is a framework that is the best way to use OAuth and OpenID connect as a separate project so it can be reused in other solutions. AND it's not an Authorization server.
This statement is not correct. In fact IdentityServer3 implements OAuth2 and OpenIdConnect and is an authorization server. If you have QBO as authorization server, you don't need to use identityserver3.
what you need is a client for OAuth2 and OpenIdConnect. You can use IdentityModel which is implemented by the same team that implements IdentityServer3.
I know SignalR is not available for ASP.NET Core 1.1 and in preview for 2.0. Meantime I need to work around this limitation.
The application I'm building is an ASP.NET Core 1.1 MVC application. One small but important feature in this application is case management. The view needs to be updated with new incoming cases for that specific user.
My SignalR 2 hub runs in a separate ASP.NET 4.* application.
I was hoping as this is all 1-way that I could easily use the SignalR JavaScript client instead of the .NET client and Bob is your uncle.
The problem however is AuthN/AuthZ for which I'm using Azure AD B2C (oauth2)
Within the MVC app I use standard cookie authorization, but the pattern I'm using for the backend API's is that I use my MVC code to wrap the access token in a bearer tokens and sent that to the backend API where I use jwt bearer authorization. Therefore my clientside JavaScript never sees the access token, just the cookies that the MVC app uses between View and Controller.
The problem now is that if I want to connect to the Hub using JavaScript I have nothing to sent to the Hub to prove my identity as the jwt token only exists in the MVC host, and the cookies are HTTP Only so inaccessible.
Any ideas or alternatives?
Thanks!
Ok I found it! I can use the following method to pass along the cookie from my MVC app:
Follow instructions in https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/compatibility/cookie-sharing to setup cookie sharing
Use the withCredentials=true on XMLHttpRequest.withCredentials through the start method on the hubConnection in SignalR
conn.start({ withCredentials: true }).done(function () {
hub.invoke('recordHit');
});
Setup CORS in the Hub project.
easy! Works like a charm
I need to create a high-frequency realtime web application and I would like to know the best way for doing it!
A WCF Service hosted in a Windows Service needs to refresh browser clients (ASP.NET application) each seconds with fresh data (often with IE8).
I've think about 2 solutions :
1. WCF Callback from WCF Service to Asp.Net Application server side and SignalR from ASP.NET Application server side to ASP.NET Application client side.
SignalR from WCF service to Asp.NET Application client side but is it possible??? If yes, how because I just found tutorials with communication between Asp.net server side and cient side and never with signalR as server hosted in a WCF.
Documentation I found is :
http://blog.maartenballiauw.be/post/2011/12/06/Using-SignalR-to-broadcast-a-slide-deck.aspx
http://www.asp.net/signalr/overview/getting-started/tutorial-server-broadcast-with-aspnet-signalr
http://www.asp.net/signalr/overview/getting-started/tutorial-high-frequency-realtime-with-signalr#serverloop
Thks
I think this post can help: SignalR as WCF web socket service :
...
You can self-host the SignalR server:
Taken from (https://github.com/SignalR/SignalR/wiki/QuickStart-Hubs):
I have an internal LOB Silverlight client that uses business logic in a self-hosted WCF service (cross domain).
I'm thinking of using ASP.NET AuthenticationServices. How would I set this up with my self-hosted WCF service?
Call ASP.NET AuthenticationService from Silverlight to authenticate user? But this would not protect my self-hosted service...
Send username/password in every request from Silverlight and in my self-hosted service call ASP.NET Authentication Services? (Feels a bit backwards?)
Call ASP.NET AuthenticationService from Silverlight to authenticate user, send username/password in every request from Silverlight to allow logging etc, and use some other means to protect my service?
Is there some way to glue this together or is ASP.NET AuthenticationService not meant to be used when having a self-hosted WCF service?
All of the research I've done on the WCF Authentication Service indicates it's usage is for same-domain (RIA-like) applications. It sets the HttpContext.Current.User and creates a user session, so you can restrict your other WCF endpoint in some subfolder of the hosting website and control access via the web.config file. In this scenario, you can use the log the HttpContext user. If you plan to do things cross-domain, I think you'll find you need to use a combination of Transport (HTTPS) and Message security in the WCF binding configuration. This basically means your 2nd bullet point is true and you'll need to set the Username/Pw on the service client credentials (using Windows Auth or forms auth) and all WCF to send them across the wire with each message...