search

aspnet / Security

[Archived] Middleware for security and authorization of web apps. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
1.27k stars 600 forks source link

authentication/authorization other than cookie in websocket #1880

Closed John0King closed 5 years ago

John0King commented 5 years ago

for example JwtBearer token authentication in websoket , how we impiliment ? (can not set header with WebSocket in browser)

this is my thought of a flow:

  1. client connect to server, and server response to tell client not authenticted [optional]
  2. client do the authentication process and get an access_token.
  3. client send the token to server via websocket
  4. server get the token and do the validation (no api for this scenario)
  5. do other thing

Is there a handler/validator for this scenario ? or should we design a common api for this scenario?

scenario :

Tratcher commented 5 years ago

The SignalR docs give an example where the access_token can be read from the query string.

Tratcher commented 5 years ago

To your other question, yes, all the token validation libraries we use in the auth handler are available to you to call directly.

John0King commented 5 years ago

I see, by using querystring , it become a regular http request again. I previously write a websocket program with authentite via websocket is self, and faild to do token validation and get user info from access_token (Id4 jwtbearer) . at the end I submit the subject Id inside websocket communication. that's why I ask