I have a standalone SignalR server where I want to get hold of the Context.User in the OnConnected event
In my mvc4 application I use FormsAuthentication. But when calling the hub the Context.User is null
Isn't it possible to get hold of the User in a standalone signalr service?
This sample uses Forms Authentication and its using Context.User
Related
Seems like SignalR only accepts Bearer/JWT tokens. Is there support for SAML?
If you implement SAML in your webapp, the webapp will issue a cookie based on successful authentication. SignalR will piggyback on that:
In a browser-based app, cookie authentication allows your existing
user credentials to automatically flow to SignalR connections. When
using the browser client, no additional configuration is needed. If
the user is logged in to your app, the SignalR connection
automatically inherits this authentication.
I know SignalR is not available for ASP.NET Core 1.1 and in preview for 2.0. Meantime I need to work around this limitation.
The application I'm building is an ASP.NET Core 1.1 MVC application. One small but important feature in this application is case management. The view needs to be updated with new incoming cases for that specific user.
My SignalR 2 hub runs in a separate ASP.NET 4.* application.
I was hoping as this is all 1-way that I could easily use the SignalR JavaScript client instead of the .NET client and Bob is your uncle.
The problem however is AuthN/AuthZ for which I'm using Azure AD B2C (oauth2)
Within the MVC app I use standard cookie authorization, but the pattern I'm using for the backend API's is that I use my MVC code to wrap the access token in a bearer tokens and sent that to the backend API where I use jwt bearer authorization. Therefore my clientside JavaScript never sees the access token, just the cookies that the MVC app uses between View and Controller.
The problem now is that if I want to connect to the Hub using JavaScript I have nothing to sent to the Hub to prove my identity as the jwt token only exists in the MVC host, and the cookies are HTTP Only so inaccessible.
Any ideas or alternatives?
Thanks!
Ok I found it! I can use the following method to pass along the cookie from my MVC app:
Follow instructions in https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/compatibility/cookie-sharing to setup cookie sharing
Use the withCredentials=true on XMLHttpRequest.withCredentials through the start method on the hubConnection in SignalR
conn.start({ withCredentials: true }).done(function () {
hub.invoke('recordHit');
});
Setup CORS in the Hub project.
easy! Works like a charm
I've got an self-hosted SignalR instance, using OWIN. I'd like to implement authorization. My users will already have logged into an ASP.NET MVC application, using Forms Authentication.
Since the two applications will be available at the same URL, the cookies will be shared between the two. How do I accept a Forms Authentication cookie in a self-hosted SignalR application?
Clarification: I'm talking about a browser accessing a self-hosted SignalR hub using the same credentials that were used to log into a separate (but related, and installed on the same host) IIS application.
So, the question is: how do I hook into the SignalR server pipeline to capture the .ASPXAUTH cookie and use it to set the current principal before calling the hub?
If it helps, I can throw some Nancy into the mix.
If your user is already authenticated and logged in, you can check the following within your SignalR hub:
Context.User.Identity.IsAuthenticated
Assure this property is set to true. You can place this check within the constructor of your hub to block/remove their connection. If false, you can redirect them to another page.
I have gone through wiki on SignalR and still can't figure out how to do Forms authentication with SignalR. I'd like to invoke a call to a hub (or persistent connection) with username/password and be able to return a redirect to an authenticated page, along with setting forms authentication cookie.
Don't do forms auth through SignalR. Do it outside of SignalR (as you would normally) and then you can check to make sure incoming calls, and subscribers to your hub are authenticated.
I have a java app with a .net application running in the java applications embedded browser.
I want the java application to call a .net WCF or web service with a username and password.
The wcf will set the user to authorized in forms authentication.
In the java desktop application I will then load a .aspx page that was protected via forms authentication.
How can I accomplish this? Is it even possible...?
You will need to enable ASP.NET compatibility mode on the WCF service in order to enable forms authentication.
The Java client application could send username and password over a secure connection and your WCF service authenticates the user via FormsAuthentication.Authenticate(username, password) or FormsAuthentication.SetAuthCookie.
You will then need to use a cookie store on the Java client side in order to pass the authentication cookie on every consecutive request (and update it when it gets refreshed), but this should be a built-in feature of your HTTP-client.
The .aspx page must run on a server with the same machine key as the WCF service.
Conclusion: Yes, it is possible, but for me it is not clear to which ".NET application" you refer to?
Edit: I think its clear now, you will need to be able to set the browser cookies. If you cant do this directly from your java application, a workaround would be to let the WCF service communicate that the user is authenticated and then set the cookie on the .aspx site request.