Open analogrelay opened 5 years ago
As part of this, we should talk about grabbing things like the access_token and placing it in a claim if the user wants to access that in the Hub.
@BrennanConroy These recommendation still applies? When using HTTP protocols (Websockets, SSE, LongPolling), is it possible to not have a HttpContext inside the hub?
How can a server authenticate a user without the http context and access to the http headers used to initiate the connection initially if they're using a custom authentication mechanism? This makes it impossible for me to use the Azure SignalR service now, and would make it impossible for me to use SignalR at all if you told me in the future I can't get the Httpcontext anymore.
As part of this, we should talk about grabbing things like the access_token and placing it in a claim if the user wants to access that in the Hub.
If you can do that, then make the entire set of headers accessible?
We need Authorization
and cookies at minimum, plus every frontend framework has a different X-XSRF mechanism that's usually header based.
You can't just put this stuff in the SignalR messages. With httponly
cookies for example Javascript cannot access the token, by design.
We should have a document describing the complex interations between Hubs and
HttpContext
.HttpContext
viaContext.GetHttpContext()
extension method, but it's not guaranteed to workIHttpContextAccessor
should be avoidedHttpContext
so it's considered a good design practice to avoid usingHttpContext
at all inHub
s (to allow portability to non-HTTP transports)