authentication/authorization other than cookie in websocket
John0King opened this issue · comments
for example JwtBearer token authentication in websoket , how we impiliment ?
(can not set header with WebSocket
in browser)
this is my thought of a flow:
- client connect to server, and server response to tell client not authenticted [optional]
- client do the authentication process and get an
access_token
. - client send the token to server via websocket
- server get the token and do the validation (no api for this scenario)
- do other thing
Is there a handler/validator for this scenario ? or should we design a common api for this scenario?
scenario :
HttpContext
andHttpContext.User
is not require this scenario .- raw string validation (cookie,header,bearer are all string values)
- authorization policy support
The SignalR docs give an example where the access_token can be read from the query string.
To your other question, yes, all the token validation libraries we use in the auth handler are available to you to call directly.
I see, by using querystring , it become a regular http request again.
I previously write a websocket program with authentite via websocket is self, and faild to do token validation and get user info from access_token (Id4 jwtbearer) . at the end I submit the subject Id inside websocket communication. that's why I ask