Authentication with SignalR and OAuth Bearer Token

Authenticating connections to SignalR is not as easy as you would expect. In many scenarios authentication mechanisms use the Authorize header in HTTP request. The problem is, that SignalR does not explicitly support headers, because Web Sockets – one of the transports used in browsers – does not support them. So if your authentication mechanism requires any form of headers being sent, you need to go another way with SignalR.

In this post I would like to describe a way to use the OAuth Bearer Token authentication with SignalR by passing the token over a cookie into SignalR pipeline. To show how to do this, I’m going to create a chat application (as if world needs another SignalR chat sample!) The application requires user to authenticate in order to send messages. If not authenticated, the user can see only fragments of messages sent by other people, and he is not able to see who the sender is.

When anonymous:

After signing in:

You can find full sample code here.

We’re going to use the Microsoft’s OWIN Security and ASP.NET Identity libraries for this sample. The easiest way to get started is to create new ASP.NET project in VS 2013 and include the WebAPI and Individual Accounts security option. Then add SignalR NuGet package. This gives us:

  • User management system with REST API access
  • Bearer OAuth flow for authentication
  • Possibility to use external login providers (although I’m not going to cover this scenario in the sample)
  • And of course possibility to use SignalR

Now let’s implement the SignalR hub:

public class ChatHub : Hub
{
public override Task OnConnected()
{
AssignToSecurityGroup();
Greet(); return base.OnConnected();
} private void AssignToSecurityGroup()
{
if (Context.User.Identity.IsAuthenticated)
Groups.Add(Context.ConnectionId, "authenticated");
else
Groups.Add(Context.ConnectionId, "anonymous");
} private void Greet()
{
var greetedUserName = Context.User.Identity.IsAuthenticated ?
Context.User.Identity.Name :
"anonymous"; Clients.Client(Context.ConnectionId).OnMessage(
"[server]", "Welcome to the chat room, " + greetedUserName);
} public override Task OnDisconnected()
{
RemoveFromSecurityGroups();
return base.OnDisconnected();
} private void RemoveFromSecurityGroups()
{
Groups.Remove(Context.ConnectionId, "authenticated");
Groups.Remove(Context.ConnectionId, "anonymous");
} [Authorize]
public void SendMessage(string message)
{
if(string.IsNullOrEmpty(message))
return; BroadcastMessage(message);
} private void BroadcastMessage(string message)
{
var userName = Context.User.Identity.Name; Clients.Group("authenticated").OnMessage(userName, message); var excerpt = message.Length <= 3 ? message : message.Substring(0, 3) + "...";
Clients.Group("anonymous").OnMessage("[someone]", excerpt);
}
}

The hub utilizes the OnConnect and OnDisconnect methods to assign a connection to one of the security groups: authenticated or anonymous. When broadcasting a message, anonymous connections get limited information,  while authenticated ones get the whole thing. User context can be accessed via Context.User property which retrieves current IPrincipal from OWIN context. The SendMessage hub method is only available to authenticated connections, because of the Authorize attribute.

Please note, that when using SignalR groups for security purposes, you may have to handle reconnect scenarios as described here.

We’re going to assume, that some users are already registered in the application. See the auto-generated API help page for information on how to do this. Now, in order to authenticate the connection, we need to:

  • Call the token endpoint to get the bearer token for username / password combination.
  • Use the token when connecting to SignalR hub.

We’re going to implement the second part by using a cookie. The cookie approach has a problem: when opening a new browser tab, the same cookie will be used. You can’t sign in as two different users with one browser by default. Another approach would be to pass the token in a query string. Query string removes the cookie limitation, but can pose a security threat: query strings tend to be stored in web server logs (or exposed in other ways even when using SSL). There is a risk of  someone intercepting the tokens. You need to select an approach that fits your scenario best.

The default OAuth bearer flow implementation you get from OWIN Security only looks at the Authorization HTTP header to find the bearer token. Fortunately you can plug some additional logic by implementing the OAuthBearerAuthenticationProvider.

public class ApplicationOAuthBearerAuthenticationProvider
: OAuthBearerAuthenticationProvider
{
public override Task RequestToken(OAuthRequestTokenContext context)
{
if (context == null) throw new ArgumentNullException("context"); // try to find bearer token in a cookie
// (by default OAuthBearerAuthenticationHandler
// only checks Authorization header)
var tokenCookie = context.OwinContext.Request.Cookies["BearerToken"];
if (!string.IsNullOrEmpty(tokenCookie))
context.Token = tokenCookie;
return Task.FromResult<object>(null);
} }

In the RequestToken method override we look for cookie named “BearerToken”. This cookie will be set by the client code, which I’ll show in a bit.

// EDIT: There is also ValidateIdentity override copied over from ApplicationOAuthBearerProvider private class within OWIN Security components (not sure why it is private in the first place). So basically we replicate the functionality of validating the identity, while including additional token lookup in cookies. The ValidateIdentity method is not relevant for the presented scenario

Now, to use the new component, in Startup.Auth.cs we will change implementation of the ConfigureAuth method:

public void ConfigureAuth(IAppBuilder app)
{
//app.UseCookieAuthentication(new CookieAuthenticationOptions());
//app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie); //app.UseOAuthBearerTokens(OAuthOptions); app.UseOAuthAuthorizationServer(OAuthOptions); app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
Provider = new ApplicationOAuthBearerAuthenticationProvider(),
});
}

First, we turn off cookie based authentication. You may want to leave it on for MVC support. For this example, it’s not needed. Then we turn off external sign in providers, as this is not supported by the sample. In order to pass our own instance of OAuthBearerAuthenticationProvider, we have to ommit the UseOAuthBearerToken helper method, as it uses the private class implementation I mentioned earlier by default. Instead, we do two things:

  • configure authorization server (it is responsible for issuing tokens)
  • and configure bearer authentication passing in a new instance of our provider class

We’re good on the server side now. What about the client side?

First the function that is responsible for getting the token:

function signIn(userName, password) {
return $.post("/token", { grant_type: "password", username: userName, password: password })
.done(function(data) {
if (data && data.access_token) {
chatHub.useBearerToken(data.access_token);
toastr.success("Login successful");
}
})
.fail(function(xhr) {
if (xhr.status == 400) {
toastr.error("Invalid user name or password");
} else {
toastr.error("Unexpected error while signing in");
}
});
}

We need to do an URL encoded form post with grant_type field set to “password” and  also include the username and password. If login fails, we get HTTP 400 status. If it is successful however, we get JSON response with access_token containing the bearer token.  That token is passed into the chat hub wrapper class, which looks like this:

var ChatHubWrapper = function() {
var self = this;
var chat = null;
var isStarted = false;
var onMessageCallback = function() {}; self.start = function() {
chat = $.connection.chatHub;
chat.client.onMessage = onMessageCallback;
return $.connection.hub.start()
.done(function() { isStarted = true; }); }; self.stop = function() {
isStarted = false;
chat = null;
return $.connection.hub.stop();
}; self.sendMessage = function(message) {
if (isStarted) {
chat.server.sendMessage(message);
};
}; self.onMessage = function(callback) {
onMessageCallback = callback;
if (isStarted)
chat.client.onMessage = onMessageCallback;
}; self.useBearerToken = function (token) {
var wasStarted = isStarted; if (isStarted)
// restart, so that connection is assigned to correct group
self.stop(); setTokenCookie(token); if (wasStarted)
self.start();
}; function setTokenCookie(token) {
if (token)
document.cookie = "BearerToken=" + token + "; path=/";
} self.clearAuthentication = function () {
document.cookie = "BearerToken=; path=/; expires=" + new Date(0).toUTCString();
} };

This class wraps chat hub functionality and facilitates creation of the authentication cookie with the bearer token. OWIN Security components will take care of  authenticating connections based on the token. As you can see, the connection to the hub needs to be restarted, so that it is put into “authenticated” group. There is one small problem: here we don’t actually wait for the hub to stop before we start it again. That may case some internal HTTP 403 errors in SignalR since it detects change of authentication status on an existing connection. However this error is not surfaced to the user. In order to get rid of this, you need to implement waiting for the disconnect to complete.

And this is pretty much it.  We have an authenticated connection to SignalR using a OAuth Bearer Token. The same token can be used to authenticate WebAPI calls (in this case you can use the Authorization HTTP header). Please bear in mind, that in this sample I used the default token expiration time, which is 14 days (this is what new project wizard generates in VS 2013). Also refresh token is not supported in this sample. For more advanced scenarios you may want to implement refresh token support and shorten the expiration period.

You can find the full sample on Github.

Authentication with SignalR and OAuth Bearer Token的更多相关文章

  1. OAuth 2.0: Bearer Token Usage

    Bearer Token (RFC 6750) 用于HTTP请求授权访问OAuth 2.0资源,任何Bearer持有者都可以无差别地用它来访问相关的资源,而无需证明持有加密key.一个Bearer代表 ...

  2. The OAuth 2.0 Authorization Framework: Bearer Token Usage

    https://tools.ietf.org/html/rfc6750 1.2. Terminology Bearer Token A security token with the property ...

  3. Bearer Token & OAuth 2.0

    Bearer Token & OAuth 2.0 access token & refresh token http://localhost:8080/#/login HTTP Aut ...

  4. OAuth 2.0:Bearer Token、MAC Token区别

    Access Token 类型介绍 介绍两种类型的Access Token:Bearer类型和MAC类型 区别项 Bearer Token MAC Token 1 (优点) 调用简单,不需要对请求进行 ...

  5. Bearer Token的加密解密规则(OAuth中间件)

    在OAuthBearerAuthenticationMiddleware中使用Microsoft.Owin.Security.DataHandler. SecureDataFormat<TDat ...

  6. Postman 发送 Bearer token

    Bearer Token (RFC 6750) 用于OAuth 2.0授权访问资源,任何Bearer持有者都可以无差别地用它来访问相关的资源,而无需证明持有加密key.一个Bearer代表授权范围.有 ...

  7. OpenShift 如何获取bearer Token以便进行各种API调用

    Openshift 需要通过bearer token的方式和API进行调用,比如基于Postman就可以了解到,输入bearer token后 1.如何获取Bearer Token 但Bearer T ...

  8. 接口认证方式:Bearer Token

    因为HTTP协议是开放的,可以任人调用.所以,如果接口不希望被随意调用,就需要做访问权限的控制,认证是好的用户,才允许调用API. 目前主流的访问权限控制/认证模式有以下几种: 1),Bearer T ...

  9. Spring Security OAuth 格式化 token 输出

    个性化token 背景 上一篇文章<Spring Security OAuth 个性化token(一)>有提到,oauth2.0 接口默认返回的报文格式如下: {     "ac ...

随机推荐

  1. 【tyvj】P1049 最长不下降子序列

    时间: 1000ms / 空间: 131072KiB / Java类名: Main 描述 求最长不下降子序列的长度 输入格式 第一行为n,表示n个数 第二行n个数 输出格式 最长不下降子序列的长度 测 ...

  2. cojs 简单的求和问题 解题报告

    一个上午写了两个数据生成器,三个暴力和两个正解以及一个未竣工的伪正解思路 真是累死本宝宝了 首先这个题目暴力我的数据是有很多良心分的 但是不同的暴力拿到的分数也会有所差距,由于是题解就不说暴力怎么写了 ...

  3. 欧拉工程第66题:Diophantine equation

    题目链接 脑补知识:佩尔方差 上面说的貌似很明白,最小的i,对应最小的解 然而我理解成,一个循环的解了,然后就是搞不对,后来,仔细看+手工推导发现了问题.i从0开始变量,知道第一个满足等式的解就是最小 ...

  4. 69. Sqrt(x)

    题目: Implement int sqrt(int x). Compute and return the square root of x. 链接:   http://leetcode.com/pr ...

  5. openfire开发

    openfire github地址:https://github.com/igniterealtime/Openfire 1.下载源代码:http://www.igniterealtime.org/d ...

  6. (三)C#关于txt文件的读取和写入

    using System; using System.Collections.Generic; using System.IO; using System.Linq; using System.Tex ...

  7. ubuntu下文件压缩/解压缩命令总结

    .gz 解压1:gunzip FileName.gz 解压2:gzip -d FileName.gz 压缩:gzip FileName .tar.gz 解压:tar zxvf FileName.tar ...

  8. 函数rec_get_nth_field_offs_old

    /************************************************************//** The following function is used to ...

  9. bzoj2482

    还是像以前那样维护下次出现位置,计算影响 其实不难,思维盲点,受到做最大子段和的影响 其实这里可以直接维护当前每个位置的子段和,再记录一个历史最大和 当然tag也需要记录当前tag和历史(距离上次pu ...

  10. UVa 12563 (01背包) Jin Ge Jin Qu hao

    如此水的01背包,居然让我WA了七次. 开始理解错题意了,弄反了主次关系.总曲目最多是大前提,其次才是歌曲总时间最长. 题意: 在KTV房间里还剩t秒的时间,可以从n首喜爱的歌里面选出若干首(每首歌只 ...