authentication/authorization other than cookie in websocket

Question

authentication/authorization other than cookie in websocket

John0King opened this issue 6 years ago · comments

for example JwtBearer token authentication in websoket , how we impiliment ?
(can not set header with WebSocket in browser)

this is my thought of a flow:

client connect to server, and server response to tell client not authenticted [optional]
client do the authentication process and get an access_token.
client send the token to server via websocket
server get the token and do the validation (no api for this scenario)
do other thing

Is there a handler/validator for this scenario ? or should we design a common api for this scenario?

scenario :

HttpContext and HttpContext.User is not require this scenario .
raw string validation (cookie,header,bearer are all string values)
authorization policy support

Chris Ross · Answer 1 · Tue Oct 16 2018 12:03:07 GMT+0800 (China Standard Time)

The SignalR docs give an example where the access_token can be read from the query string.

Chris Ross · Answer 2 · Tue Oct 16 2018 12:06:17 GMT+0800 (China Standard Time)

To your other question, yes, all the token validation libraries we use in the auth handler are available to you to call directly.

john · Answer 3 · Tue Oct 16 2018 13:41:52 GMT+0800 (China Standard Time)

I see, by using querystring , it become a regular http request again.
I previously write a websocket program with authentite via websocket is self， and faild to do token validation and get user info from access_token (Id4 jwtbearer) . at the end I submit the subject Id inside websocket communication. that's why I ask