Forms authentication with SignalR - asp.net

I have gone through wiki on SignalR and still can't figure out how to do Forms authentication with SignalR. I'd like to invoke a call to a hub (or persistent connection) with username/password and be able to return a redirect to an authenticated page, along with setting forms authentication cookie.

Don't do forms auth through SignalR. Do it outside of SignalR (as you would normally) and then you can check to make sure incoming calls, and subscribers to your hub are authenticated.

Related

SignalR .NET Core - is SAML Token authentication possible?

Seems like SignalR only accepts Bearer/JWT tokens. Is there support for SAML?
If you implement SAML in your webapp, the webapp will issue a cookie based on successful authentication. SignalR will piggyback on that:
In a browser-based app, cookie authentication allows your existing
user credentials to automatically flow to SignalR connections. When
using the browser client, no additional configuration is needed. If
the user is logged in to your app, the SignalR connection
automatically inherits this authentication.

Thinktecture Identity Server 3 authorization flow for WebApi-Angularjs Web App

I have a question regarding the best standard architecture of Authorization in web application that is written in Asp.Net Web Api on the backend and and has an angularjs client side.
According to what I had seen before, the "Resource Owner Credentials" flow is what would be used in such cases, where the webapp would send the user's credentials to the server and obtain access token (and refresh token) and then using an interceptor, every call to the backend apis would contain the access token in the header.
However, I have recently seen arguments about it being a bad idea, as it gives the user's credentials to the client app.
What is the best flow for a scenario when you have javascript client directly calling you WebApis? What is the best way to secure it using Identity Server?
You could also consider implicit flow or hybrid flow, when the client app (angular) is redirecting the user to login on the openid identity provider (Identity Server) an upon a successful authentication, this returns an access/identity token which can be used in subsequent calls to the Apis.
In this case the client app is never touching client credentials, it always has to manage tokens.
see also https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Flows

SignalR Authentication on Method not Hub

I am using an OWIN Auth2.0 Authorization Server for Authorizing users and generating Tokens. How can I Connect to a Hub without any Authentication, but prevent anonymous users to call some Methods.
Authentication to FooHub is not required.
Authentication to FooHub.FooMethod is required.
Authentication to FooHub.FooBarMethod is not required.
Edit
I have everything exact like in this question SignalR AuthorizeHubConnection ,and i got the same problem. Everytime i want to set the "server.User" variable, i get an NullReferenceException.

Accepting ASP.NET Forms Authentication cookies in an OWIN-hosted SignalR implementation?

I've got an self-hosted SignalR instance, using OWIN. I'd like to implement authorization. My users will already have logged into an ASP.NET MVC application, using Forms Authentication.
Since the two applications will be available at the same URL, the cookies will be shared between the two. How do I accept a Forms Authentication cookie in a self-hosted SignalR application?
Clarification: I'm talking about a browser accessing a self-hosted SignalR hub using the same credentials that were used to log into a separate (but related, and installed on the same host) IIS application.
So, the question is: how do I hook into the SignalR server pipeline to capture the .ASPXAUTH cookie and use it to set the current principal before calling the hub?
If it helps, I can throw some Nancy into the mix.
If your user is already authenticated and logged in, you can check the following within your SignalR hub:
Context.User.Identity.IsAuthenticated
Assure this property is set to true. You can place this check within the constructor of your hub to block/remove their connection. If false, you can redirect them to another page.

How to protect a WCF Rest service with username and password?

I'm new in WCF and I want to know how can I protect a WCF Rest service.
I have an asp.net website, only registered users can access it, the application uses a service hosted on the same IIS server, my question is, how can I restrict the use of this service, for that only registered users may use it, knowing that the service can be used by many clients (Android, iPhone, ...). what type of authentication I can use? to test the service I created a winform and I use an HttpWebRequest.
PS: I cant use https.
Thanks
Simplest way is to use asp.net compatibility mode. The WCF service call will result in the same preprocessing used for ASP.NET pages, including checking the ASP.NET auth and session cookies. You will also be able to check HttpContext, including httpcontext.current.user.identity.isauthenticated. If the user is not authenticated, throw an exception or return an error code. Here is some more information: http://msdn.microsoft.com/en-us/library/aa702682.aspx.
So if you are already using forms auth for your application, and the service should be called after a user has logged in to your application, you are set.
You can also create an authentication service. The service will allow the client to send a username / password, and will use ASP.NET authentication to authenticate the user. It will send back an auth cookie, and then you can check future service calls as above. See http://msdn.microsoft.com/en-us/library/bb386582.aspx.
I believe the authentication service can called using json. See How to Call .NET AuthenticationService from json client without ASP.NET.

Resources