3

I was playing with the open authentication in MVC5 and SignalR. I use a javascript client to call a simple server method on SignalR and receive a reply from Server. It works well, but if I add the [Authorize] tag, it does not even call the server method (did not get any response while debugging).

My assumption was the server will use the Authentication mechanism to challenge the client. Am I missing anything? Do I have to manually authenticate the user from the client side and if so how do I pass the authentication token?

Here's my hub:

    [HubName("authChatHub")]
    public class AuthChatHub : Hub
    {
        [Authorize]
        public void Ping()
        {
            Clients.Caller.Pong("Connection is FINE!!");

            Clients.Caller.Pong(Context.User == null 
              ? "Null user" 
              : Context.User.Identity.IsAuthenticated.ToString());
        }
    }

Here's my Startup.Auth.cs

    public void ConfigureAuth(IAppBuilder app)
        {
           app.UseGoogleAuthentication();
        }

Here's the Startup.cs, using the code to enable CORS. 

public partial class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            ConfigureAuth(app); //added this after a suggestion here, not sure if this is the right place. 

            app.Map("/signalr", map =>
            {
                map.UseCors(CorsOptions.AllowAll);
                var hubConfiguration = new HubConfiguration
                {
                    // EnableJSONP = true //empty for now
                };

                map.RunSignalR(hubConfiguration);
            });
        }
    }

And finally this client side code calls the hub method and listens to the server RPC. 

this.sendMessage = () => {
            this.authChat.server.ping();
        };
this.authChat.client.pong = (message) => { console.log(message); };
AD.Net
  • 13,352
  • 2
  • 28
  • 47

4 Answers4

2

You have to use Forms or windows authentication as you would use is any other asp.net application. Once you are authenticated your calls would work in the same way as they did before you putting [Authorize]attribute on the hub.

SignalR does not itself deal with authentication.

You will have to authenticate first then send the token to server, I think this link can help you achieve what you want to do.

Community
  • 1
  • 1
Shashank Chaturvedi
  • 2,756
  • 19
  • 29
  • 1
    It's exactly not what I want to do. – AD.Net Jan 21 '14 at 21:58
  • 2
    I had a long discussion on http://stackoverflow.com/questions/20272611/authorization-in-signalr-2-0/20912491#comment31397545_20912491 about signalr authentication and authorization. I can say signalR does not dwell in Authentication or Authorization. I have updated my answer above, hope it helps. You may also want to look at this post http://stackoverflow.com/questions/16190148/using-ajaxsetup-beforesend-for-basic-auth-is-breaking-signalr-connection . – Shashank Chaturvedi Jan 22 '14 at 09:17
1

you can add your authentication token into the querystring which will be passed into server when java script client initial the connection to signalr server.

client side: connection.qs = { 'Token' : 'your token string'};

server side: var Token = IRequest.QueryString["Token"];

CodeMonkey
  • 11
  • 1
0

You can use Bearer Token to authenticate and then track the authenticated user using a Cookie. Then, your SignalR requests will contain the cookie and SignalR stack will recognize the user and handle all your [Authorize] configurations

There is a sample here

Gustavo Armenta
  • 1,525
  • 12
  • 14
  • This will not work. At this moment, `AuthorizeEchoHub.cshtml` calls `startSignalR()` but there is no such method that accepts 0 arg – Motoko Aug 29 '16 at 23:59
-1

The Authorize attribute specified in the hub method will make it available only to authenticated users.

When you apply the Authorize attribute to a hub class, the specified authorization requirement is applied to all of the methods in the hub

http://www.asp.net/signalr/overview/signalr-20/security/hub-authorization

thepirat000
  • 12,362
  • 4
  • 46
  • 72
  • I've seen that page, what is not clear to me is how to authorize users in javascript client. – AD.Net Jan 18 '14 at 03:38
  • The million dollar question, what authentication scheme are you using? If the answer is "I don't know" then that's the problem. There's cookie based auth (forms auth), basic auth, windows auth.. the list goes on. Once you know what authentication scheme you're using then we can talk about the [Authorize] attribute. – davidfowl Jan 18 '14 at 07:32
  • I'm trying to use Google auth that comes with MVC5, I have the code in Startup.Auth.cs in the question. – AD.Net Jan 18 '14 at 16:14
  • Make sure you call MapSignalR after calling ConfigureAuth – davidfowl Jan 21 '14 at 09:34
  • @dfowler, I'll try it, but could you please explain how the auth should work. For a javascript client (e.g. html5/js app in mobile) do I have to authenticate and then add the token to the request header manually? – AD.Net Jan 21 '14 at 19:51
  • No, when you do the handshake (redirect to google and come back to your site) you should be authenticated. – davidfowl Jan 21 '14 at 20:41
  • @dfowler, I have added some extra code. Please take a look. I think I'm missing something somewhere. I expect when the client side calls the server.pong() the server should challenge the client to log in. As mentioned before it works without the authorize. – AD.Net Jan 21 '14 at 22:19
  • Ye, that assumption is completely wrong. Who is performing the challenge? – davidfowl Jan 22 '14 at 03:56