BrennanConroy
commented
4 years ago As part of this, we should talk about grabbing things like the access_token and placing it in a claim if the user wants to access that in the Hub.
Open analogrelay opened 5 years ago
BrennanConroy
commented
4 years ago As part of this, we should talk about grabbing things like the access_token and placing it in a claim if the user wants to access that in the Hub.
bfcamara
commented
3 years ago @BrennanConroy These recommendation still applies? When using HTTP protocols (Websockets, SSE, LongPolling), is it possible to not have a HttpContext inside the hub?
legistek
commented
1 month ago How can a server authenticate a user without the http context and access to the http headers used to initiate the connection initially if they're using a custom authentication mechanism? This makes it impossible for me to use the Azure SignalR service now, and would make it impossible for me to use SignalR at all if you told me in the future I can't get the Httpcontext anymore.
legistek
commented
1 month ago As part of this, we should talk about grabbing things like the access_token and placing it in a claim if the user wants to access that in the Hub.
If you can do that, then make the entire set of headers accessible?
We need Authorization and cookies at minimum, plus every frontend framework has a different X-XSRF mechanism that's usually header based.
You can't just put this stuff in the SignalR messages. With httponly cookies for example Javascript cannot access the token, by design.
We should have a document describing the complex interations between Hubs and
HttpContext.HttpContextviaContext.GetHttpContext()extension method, but it's not guaranteed to workIHttpContextAccessorshould be avoidedHttpContextso it's considered a good design practice to avoid usingHttpContextat all inHubs (to allow portability to non-HTTP transports)