Comments (13)
brockallen
commented on June 7, 2024
Can you explain more or provide more details of what's not working?
from samples.
dineshgade
commented on June 7, 2024
The [Authorize] attribute is denying the access to the API resource. Is there a way to find out whether the request has gone to the Identity Server from the API, and it responded with Deny.
from samples.
brockallen
commented on June 7, 2024
And you're saying that our quickstart sample does not work?
And a 401 generally means the token was not sent, it has expired, or is malformed/not trusted.
from samples.
gadedineshreddy
commented on June 7, 2024
The sample application works. When the Api is a SignalR hub it is not working. Working fine with Web Api.
from samples.
brockallen
commented on June 7, 2024
When the Api is a SignalR hub it is not working
SignalR endpoints are not Web API endpoints -- they work differently, and this quickstart does not show how to authenticate to web socket endpoints. We don't have a SignalR sample, since web sockets don't allow passing the authorize request header, so the recommendation is to have your app use a cookie.
from samples.
dineshgade
commented on June 7, 2024
The Token is being passed as a Query String parameter and setting the context on OnMessageReceived JwtBearer Event. I hope cookie is used to do the same thing. Can a sample SignalR application implementation with Duende be added to the Sample projects ?
`services.AddAuthentication(options =>
{
// Identity made Cookie authentication the default.
// However, we want JWT Bearer Auth to be the default.
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
//.AddIdentityServerJwt()
.AddJwtBearer("Bearer", options =>
{
options.Authority = Configuration["AppSettings:IdentityServiceUrl"];
options.IncludeErrorDetails = true;
options.Audience = "Hub";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false,
//ValidateIssuerSigningKey = false,
//ValidateIssuer = false
};
options.Events = new JwtBearerEvents
{
OnMessageReceived = context =>
{
// Is token in Querystring?
var accessToken = context.Request.Query["access_token"];
if (!string.IsNullOrWhiteSpace(accessToken))
{
var path = context.HttpContext.Request.Path;
if (path.StartsWithSegments("/tradehub"))
{
// Read the token out of the query string
context.Token = accessToken;
}
}
return Task.CompletedTask;
},
OnChallenge = context =>
{
context.HandleResponse();
context.Response.StatusCode = StatusCodes.Status401Unauthorized;
context.Response.ContentType = "application/json";
// Ensure we always have an error and error description.
if (string.IsNullOrEmpty(context.Error))
context.Error = "invalid_token";
if (string.IsNullOrEmpty(context.ErrorDescription))
context.ErrorDescription = "This request requires a valid JWT access token to be provided";
// Add some extra context for expired tokens.
if (context.AuthenticateFailure != null && context.AuthenticateFailure.GetType() == typeof(SecurityTokenExpiredException))
{
var authenticationException = context.AuthenticateFailure as SecurityTokenExpiredException;
context.Response.Headers.Add("x-token-expired", authenticationException.Expires.ToString("o"));
context.ErrorDescription = $"The token expired on {authenticationException.Expires.ToString("o")}";
}
return context.Response.WriteAsync(JsonSerializer.Serialize(new
{
error = context.Error,
error_description = context.ErrorDescription
}));
}
};
});`
from samples.
brockallen
commented on June 7, 2024
Given that access tokens and OIDC/OAuth2 are really orthogonal to SignalR, I'm not sure we need a sample. What do the Microsoft docs show for how to authenticate? I'd imagine they use the cookie authentication handler. If you can find a link to what they propose, that would be helpful.
from samples.
dineshgade
commented on June 7, 2024
Following the Microsoft documentation guidelines:
https://docs.microsoft.com/en-us/aspnet/core/signalr/authn-and-authz?view=aspnetcore-5.0
from samples.
brockallen
commented on June 7, 2024
I'm surprised they show using access tokens in those docs, as access tokens sent in query params are bad practice and forbidden by OAuth: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05#section-5.2.1
from samples.
brockallen
commented on June 7, 2024
Hi @dineshgade -- where do we stand on this issue. Is there still a request for us here?
from samples.
dineshgade
commented on June 7, 2024
Yes. Still trying to figure out what's missing. If you could provide a sample, that would be great.
from samples.
brockallen
commented on June 7, 2024
Sample for what? SignalR accepting access tokens? I'm not sure that's what I'd recommend, to be honest.
from samples.
brockallen
commented on June 7, 2024
Given that SignalR is based on web sockets and that you can't pass an authorization header, and that access tokens are forbidden from using in URLs, and that Microsoft already has some docs on this, I don't think we should be putting out a sample at this time.
from samples.
Related Issues (20)
- Look into OWIN sample build/NuGet issue
- DPoP and BFF sample HOT 1
- In the nuget package manager the Duende.IdentityServer package are not supported in ASP.NET Web Application (.NET Framework) 4.8 MVC
- Show how to handle errors in .NET clients
- Correlation Cookie Problem
- DPoP and token exchange sample HOT 3
- How to set identity token and access token timeout in run time HOT 1
- Dynamic providers sample - user is not authenticated in the MVC client app HOT 1
- BFF and resource indicator sample
- Token exchange with external issuer
- Federation Samples HOT 1
- Update Blazor Samples For .NET 8 HOT 7
- Update Samples to v7 HOT 3
- No
- Add PAR sample (copy from IdentityServer clients) HOT 1
- Update quickstart sample code to v7 HOT 2
- Update otel sample to v7 HOT 2
- Use new release of IdentityModel in DCR sample with extension properties
- Add AccessDeniedPath to samples using MS OpenIdConnect middleware
- Create device flow sample
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from samples.