SignalR and user identity (authentication and authorization)

SignalR and user identity (authentication and authorization)

Rate This
  • Comments 3

There are too many authentication types (Basic, Windows, Cookie, OAuth) to explain how to use all of them. In this sample, I focus on using Cookie Authentication to secure a website, a Persistent Connection, and a Hub. Authentication is configured on OWIN, you have to add some nuget packages and add code in Startup.cs. I started with a web project using the MVC Template. By default, it creates web forms to register users, input user credentials, configures an anti-forgery token for http requests, creates an entity framework repository for User Identity. For the self host server there is no template, so I created it using the previous project as sample but removed things like the anti-forgery token, MVC, and entity framework.

The important thing to remember is OWIN takes care of authentication and all frameworks on top of OWIN (SignalR, MVC, WebApi, etc) simply consume the user identity provided by OWIN. So, if you can’t see the identity on SignalR, the problem is in your OWIN configuration.

A SignalR Persistent Connection gives you access to the user identity by overriding AuthorizeRequest method. The sample code below allows to create a persistent connection only to authenticated users. you could add more logic to allow only some user roles by using the method request.User.IsInRole(string role)  

namespace Common.Connections
{
  public class AuthorizeEchoConnection : PersistentConnection
  {
    protected override bool AuthorizeRequest(IRequest request)
    {
      return request.User != null && request.User.Identity.IsAuthenticated;
    }

    ...

  }
}

A SignalR Hub gives you access to the user identity using Context.User. If you want to restrict access to a Hub only to authenticated users, add the [Authorize] attribute. Do you want to allow only some user roles? Add [Authorize(Roles="myRole")]. Do you want to allow specific users? Add [Authorize(Users="myUser")]

namespace Common.Hubs
{
  [Authorize]
  public class AuthorizeEchoHub : Hub
  {
    public override Task OnConnected()
    {
      return Clients.Caller.hubReceived("Welcome " + Context.User.Identity.Name + "!");
    }

    ...

  }
}

Full sample code is here. It contains a web host server and a self host server. Then you can use any of the clients to authenticate and establish a SignalR connection:

  • JavaScript client connecting as cross-domain
  • C# console client
  • C# windows phone
  • C# windows store app

For more information, read SignalR documentation about security

Leave a Comment
  • Please add 5 and 4 and type the answer here:
  • Post
  • It would be great to see an example of using Basic Authentication. I would like to be able to use

    new NetworkCredential("user", "password"); and pass that in my Connection, then have it authenticated server side.

  • Hi Jason,

    Basic Authentication is discouraged because Owin Katana is not releasing a Basic Authentication package, and if your app is deployed with http (not SSL) and it uses Long Polling transport, it would need to send the credentials on every http request.

    Having said this, if you still want to go and use Basic Auth, you can search "/basicauth" on dev branch of SignalR test bed. (e.g. github.com/.../Initializer.cs)

  • I'm curious why you would discourage Basic Auth?  It is common understanding that the best practice is to use SSL in combination with it.   Also, why would sending the authorization headers on every request be perceived as a negative?  I believe Thinktecture is releasing OWIN basic auth middleware in their IdentityModel.

Page 1 of 1 (3 items)