Authentification SignalR avec jeton de support API Web
+ j'ai utilisé cette solution pour implémenter l'authentification basée sur les jetons en utilisant ASP.NET Web API 2, Owin et Identity ... qui a très bien fonctionné. J'ai utilisé ceci autre solution et cela pour implémenter l'autorisation et l'authentification des concentrateurs signalR en passant le jeton de support à travers une chaîne de connexion, mais il semble que le jeton de support ne fonctionne pas ou que quelque chose d'autre ne va pas quelque part, ce qui c'est pourquoi je cherche de l'aide ... ce sont mes codes ... QueryStringBearerAuthorizeAttribute: c'est la classe en charge de la vérification
using ImpAuth.Entities;
using Microsoft.AspNet.Identity.EntityFramework;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.OAuth;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using System.Web;
namespace ImpAuth.Providers
{
using System.Security.Claims;
using Microsoft.AspNet.SignalR;
using Microsoft.AspNet.SignalR.Hubs;
using Microsoft.AspNet.SignalR.Owin;
public class QueryStringBearerAuthorizeAttribute : AuthorizeAttribute
{
public override bool AuthorizeHubConnection(HubDescriptor hubDescriptor, IRequest request)
{
var token = request.QueryString.Get("Bearer");
var authenticationTicket = Startup.AuthServerOptions.AccessTokenFormat.Unprotect(token);
if (authenticationTicket == null || authenticationTicket.Identity == null || !authenticationTicket.Identity.IsAuthenticated)
{
return false;
}
request.Environment["server.User"] = new ClaimsPrincipal(authenticationTicket.Identity);
request.Environment["server.Username"] = authenticationTicket.Identity.Name;
request.GetHttpContext().User = new ClaimsPrincipal(authenticationTicket.Identity);
return true;
}
public override bool AuthorizeHubMethodInvocation(IHubIncomingInvokerContext hubIncomingInvokerContext, bool appliesToMethod)
{
var connectionId = hubIncomingInvokerContext.Hub.Context.ConnectionId;
// check the authenticated user principal from environment
var environment = hubIncomingInvokerContext.Hub.Context.Request.Environment;
var principal = environment["server.User"] as ClaimsPrincipal;
if (principal != null && principal.Identity != null && principal.Identity.IsAuthenticated)
{
// create a new HubCallerContext instance with the principal generated from token
// and replace the current context so that in hubs we can retrieve current user identity
hubIncomingInvokerContext.Hub.Context = new HubCallerContext(new ServerRequest(environment), connectionId);
return true;
}
return false;
}
}
}
et c'est ma classe de démarrage ....
using ImpAuth.Providers;
using Microsoft.AspNet.SignalR;
using Microsoft.Owin;
using Microsoft.Owin.Cors;
using Microsoft.Owin.Security.Facebook;
using Microsoft.Owin.Security.Google;
//using Microsoft.Owin.Security.Facebook;
//using Microsoft.Owin.Security.Google;
using Microsoft.Owin.Security.OAuth;
using Owin;
using System;
using System.Collections.Generic;
using System.Data.Entity;
using System.Linq;
using System.Web;
using System.Web.Http;
[Assembly: OwinStartup(typeof(ImpAuth.Startup))]
namespace ImpAuth
{
public class Startup
{
public static OAuthAuthorizationServerOptions AuthServerOptions;
static Startup()
{
AuthServerOptions = new OAuthAuthorizationServerOptions
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(30),
Provider = new SimpleAuthorizationServerProvider()
// RefreshTokenProvider = new SimpleRefreshTokenProvider()
};
}
public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; }
public static GoogleOAuth2AuthenticationOptions googleAuthOptions { get; private set; }
public static FacebookAuthenticationOptions facebookAuthOptions { get; private set; }
public void Configuration(IAppBuilder app)
{
//app.MapSignalR();
ConfigureOAuth(app);
app.Map("/signalr", map =>
{
// Setup the CORS middleware to run before SignalR.
// By default this will allow all origins. You can
// configure the set of origins and/or http verbs by
// providing a cors options with a different policy.
map.UseCors(CorsOptions.AllowAll);
var hubConfiguration = new HubConfiguration
{
// You can enable JSONP by uncommenting line below.
// JSONP requests are insecure but some older browsers (and some
// versions of IE) require JSONP to work cross domain
//EnableJSONP = true
EnableDetailedErrors = true
};
// Run the SignalR pipeline. We're not using MapSignalR
// since this branch already runs under the "/signalr"
// path.
map.RunSignalR(hubConfiguration);
});
HttpConfiguration config = new HttpConfiguration();
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
WebApiConfig.Register(config);
app.UseWebApi(config);
}
public void ConfigureOAuth(IAppBuilder app)
{
//use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseExternalSignInCookie(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);
OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
Provider = new SimpleAuthorizationServerProvider()
};
// Token Generation
app.UseOAuthAuthorizationServer(OAuthServerOptions);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
//Configure Google External Login
googleAuthOptions = new GoogleOAuth2AuthenticationOptions()
{
ClientId = "1062903283154-94kdm6orqj8epcq3ilp4ep2liv96c5mn.apps.googleusercontent.com",
ClientSecret = "rv5mJUz0epWXmvWUAQJSpP85",
Provider = new GoogleAuthProvider()
};
app.UseGoogleAuthentication(googleAuthOptions);
//Configure Facebook External Login
facebookAuthOptions = new FacebookAuthenticationOptions()
{
AppId = "CHARLIE",
AppSecret = "xxxxxx",
Provider = new FacebookAuthProvider()
};
app.UseFacebookAuthentication(facebookAuthOptions);
}
}
}
et ceci est le knockout plus le code jquery sur le client ....
function chat(name, message) {
self.Name = ko.observable(name);
self.Message = ko.observable(message);
}
function viewModel() {
var self = this;
self.chatMessages = ko.observableArray();
self.sendMessage = function () {
if (!$('#message').val() == '' && !$('#name').val() == '') {
$.connection.hub.qs = { Bearer: "yyCH391w-CkSVMv7ieH2quEihDUOpWymxI12Vh7gtnZJpWRRkajQGZhrU5DnEVkOy-hpLJ4MyhZnrB_EMhM0FjrLx5bjmikhl6EeyjpMlwkRDM2lfgKMF4e82UaUg1ZFc7JFAt4dFvHRshX9ay0ziCnuwGLvvYhiriew2v-F7d0bC18q5oqwZCmSogg2Osr63gAAX1oo9zOjx5pe2ClFHTlr7GlceM6CTR0jz2mYjSI" };
$.connection.hub.start().done(function () {
$.connection.hub.qs = { Bearer: "yyCH391w-CkSVMv7ieH2quEihDUOpWymxI12Vh7gtnZJpWRRkajQGZhrU5DnEVkOy-hpLJ4MyhZnrB_EMhM0FjrLx5bjmikhl6EeyjpMlwkRDM2lfgKMF4e82UaUg1ZFc7JFAt4dFvHRshX9ay0ziCnuwGLvvYhiriew2v-F7d0bC18q5oqwZCmSogg2Osr63gAAX1oo9zOjx5pe2ClFHTlr7GlceM6CTR0jz2mYjSI" };
$.connection.impAuthHub.server.sendMessage($('#name').val(), $('#message').val())
.done(function () { $('#message').val(''); $('#name').val(''); })
.fail(function (e) { alert(e) });
});
}
}
$.connection.impAuthHub.client.newMessage = function (NAME, MESSAGE) {
//alert(ko.toJSON(NAME, MESSAGE));
var chat1 = new chat(NAME, MESSAGE);
self.chatMessages.Push(chat1);
}
}
ko.applyBindings(new viewModel());
et voici ma classe hub ...
using ImpAuth.Providers;
using Microsoft.AspNet.SignalR;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
namespace ImpAuth
{
public class impAuthHub : Hub
{
[QueryStringBearerAuthorize]
public void SendMessage(string name, string message)
{
Clients.All.newMessage(name, message);
}
}
}
... maintenant, le problème survient lorsque j'essaie d'invoquer une classe de concentrateur authentifiée et que j'obtiens cette erreur
caller is not authenticated to invove method sendMessage in impAuthHub
mais alors je change cette méthode dans la classe QueryStringBearerAuthorizeAttribute pour toujours retourner vrai comme ça
public override bool AuthorizeHubMethodInvocation(IHubIncomingInvokerContext hubIncomingInvokerContext, bool appliesToMethod)
{
var connectionId = hubIncomingInvokerContext.Hub.Context.ConnectionId;
// check the authenticated user principal from environment
var environment = hubIncomingInvokerContext.Hub.Context.Request.Environment;
var principal = environment["server.User"] as ClaimsPrincipal;
if (principal != null && principal.Identity != null && principal.Identity.IsAuthenticated)
{
// create a new HubCallerContext instance with the principal generated from token
// and replace the current context so that in hubs we can retrieve current user identity
hubIncomingInvokerContext.Hub.Context = new HubCallerContext(new ServerRequest(environment), connectionId);
return true;
}
return true;
}
... ça marche .... QUOI IS LE PROBLÈME AVEC MON CODE OR MISE EN ŒUVRE?
Vous devez configurer votre signal comme ceci;
app.Map("/signalr", map =>
{
map.UseCors(CorsOptions.AllowAll);
map.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()
{
Provider = new QueryStringOAuthBearerProvider()
});
var hubConfiguration = new HubConfiguration
{
Resolver = GlobalHost.DependencyResolver,
};
map.RunSignalR(hubConfiguration);
});
Ensuite, vous devez écrire un OAuthBearerAuthenticationProvider personnalisé de base pour signalR qui accepte access_token comme chaîne de requête.
public class QueryStringOAuthBearerProvider : OAuthBearerAuthenticationProvider
{
public override Task RequestToken(OAuthRequestTokenContext context)
{
var value = context.Request.Query.Get("access_token");
if (!string.IsNullOrEmpty(value))
{
context.Token = value;
}
return Task.FromResult<object>(null);
}
}
Après cela, tout ce dont vous avez besoin est d'envoyer un access_token avec une connexion signalr comme chaîne de requête.
$.connection.hub.qs = { 'access_token': token };
Et pour votre hub juste un attribut [Authorize] ordinaire
public class impAuthHub : Hub
{
[Authorize]
public void SendMessage(string name, string message)
{
Clients.All.newMessage(name, message);
}
}
J'espère que cela t'aides. YD.
Je ne peux pas commenter, alors ajoutez ma réponse après les commentaires sur l'excellente réponse de Peter.
J'ai creusé un peu plus et l'ID utilisateur que j'avais défini dans mon fournisseur d'autorisation owin personnalisé se cachait ici (méthode de hub complète illustrée).
[Authorize]
public async Task<int> Test()
{
var claims = (Context.User.Identity as System.Security.Claims.ClaimsIdentity).Claims.FirstOrDefault();
if (claims != null)
{
var userId = claims.Value;
//security party!
return 1;
}
return 0;
}
Plus ajouté pour texas697 :
Startup.Auth.cs ajoutez ceci à ConfigureAuth () si ce n'est déjà fait:
app.Map("/signalr", map =>
{
map.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()
{
Provider = new QueryStringOAuthBearerProvider() //important bit!
});
var hubConfiguration = new HubConfiguration
{
EnableDetailedErrors = true,
Resolver = GlobalHost.DependencyResolver,
};
map.RunSignalR(hubConfiguration);
});
Le fournisseur d'authentification personnalisé ressemble à ceci:
public class QueryStringOAuthBearerProvider : OAuthBearerAuthenticationProvider
{
public override Task RequestToken(OAuthRequestTokenContext context)
{
var value = context.Request.Query.Get("access_token");
if (!string.IsNullOrEmpty(value))
{
context.Token = value;
}
return Task.FromResult<object>(null);
}
}
J'ai suivi ceci :
ajoutez d'abord le JWT à la chaîne de requête: '
this.connection = $['hubConnection']();
this.connection.qs = { 'access_token': token}
puis dans lestartup.cs, avant JwtBearerAuthentication, ajoutez le jeton à l'en-tête:
app.Use(async (context, next) =>
{
if (string.IsNullOrWhiteSpace(context.Request.Headers["Authorization"]) && context.Request.QueryString.HasValue)
{
var token = context.Request.QueryString.Value.Split('&').SingleOrDefault(x => x.Contains("access_token"))?.Split('=')[1];
if (!string.IsNullOrWhiteSpace(token))
{
context.Request.Headers.Add("Authorization", new[] { $"Bearer {token}" });
}
}
await next.Invoke();
});
var keyResolver = new JwtSigningKeyResolver(new AuthenticationKeyContainer());
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
TokenValidationParameters = new TokenValidationParameters()
{
ValidAudience = ConfigurationUtil.ocdpAuthAudience,
ValidIssuer = ConfigurationUtil.ocdpAuthZero,
IssuerSigningKeyResolver = (token, securityToken, kid, validationParameters) => keyResolver.GetSigningKey(kid)
}
});
ValidateSignalRConnectionData(app);
var hubConfiguration = new HubConfiguration
{
EnableDetailedErrors = true
};
app.MapSignalR(hubConfiguration);