4

We are using the built in OWIN oAuth server functionality to generate Bearer tokens. We have them working with ASP.NET Web API but not sure how to get them working with SignalR (and an AngularJS javscript client). How do we use Bearer tokens with SignalR for authentication and authorization? I have not seen any really good clear answers on how to achieve this.

Thanks in advance.

user1870738
  • 503
  • 1
  • 8
  • 14

1 Answers1

3

Unfortunately, the JS WebSocket API does not make it possible to set custom headers.

However, it should be possible to add the bearer token to the query string of all SignalR requests which includes the WebSocket requests.

$.connection.hub.qs = { 'access_token' : accessToken };

Once you do this, you could create a custom OAuthBearerAuthenticationProvider to pull the token from the querystring.

Community
  • 1
  • 1
halter73
  • 15,059
  • 3
  • 49
  • 60
  • Using the custom qs provider worked. But once the websocket connection was authorized it didn't expire. Using long polling instead works with same header as WebAPI and expires the same way. – Stonetip Nov 05 '14 at 22:17
  • 2
    @halter73 This works, but I have a security concern: an attacker who reads the query string knows the access_token. Can't he use it to forge requests on behalf of the legitimate user? – pomarc Jul 28 '15 at 10:18
  • 2
    @pomarc Correct. Fortunately, with HTTPS, the query string is encrypted just like headers. Still, you bring up a good point. Sometimes query strings are logged by the server while most headers aren't. This could be one reason to avoid putting credentials in the query string. – halter73 Jul 30 '15 at 23:16
  • @pomarc A solution to this problem that I've implemented is to add the ip address into the access_token as a claim, and then validate on the server that the access_token ip address matches the request ip address. – Matt Jun 22 '17 at 23:08