SignalR Core Auth - Token in Query String section does not address AddIdentityServerJwt()

[caleblloyd]

The Token in Query String section addresses the case where AddJwtBearer() is called directly:

 services.AddAuthentication()
        .AddJwtBearer(options =>//options from documentation);

It does not cover the Identity Server case where AddIdentityServerJwt() is used instead, which is the default for Blazor WebAssembly apps scaffolded with authentication.

 services.AddAuthentication()
        .AddIdentityServerJwt();

In this case, calling AddJwtBearer after AddIdentityServerJwt does not work:

// this does not work
services.AddAuthentication()
                .AddIdentityServerJwt()
                .AddJwtBearer(options =>//options from documentation);

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: d0da2144-3730-f8ef-1d16-a89f11fd6198
• Version Independent ID: 6d8f5bc8-8f5c-ba13-b7f2-0366eac46f81
• Content: Authentication and authorization in ASP.NET Core SignalR
• Content Source: aspnetcore/signalr/authn-and-authz.md
• Product: aspnet-core
• Technology: aspnetcore-signalr
• GitHub Login: @bradygaster
• Microsoft Alias: bradyg

[caleblloyd]

@guardrex here is another one related to IS that I encountered using Blazor WebAssembly with SignalR.

Note that WebSockets will not pass access tokens in the query string the C# SignalR client running in the browser until dotnet/aspnetcore#20466 is merged. I have a workaround to pass the access token in the query string that I have been testing this with though.

[caleblloyd]

I was able to get it working using a PostConfigureOptions service:

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Extensions.Options;

namespace App.Server.Services
{
    public class ConfigureJwtBearerOptions : IPostConfigureOptions<JwtBearerOptions>
    {
        public void PostConfigure(string name, JwtBearerOptions options)
        {
            // save the original OnMessageReceived event
            var originalOnMessageReceived = options.Events.OnMessageReceived;

            options.Events.OnMessageReceived = async context =>
            {
                // call the original OnMessageReceived event
                await originalOnMessageReceived(context);
                
                if (string.IsNullOrEmpty(context.Token))
                {
                    // attempt to read the access token from the query string
                    var accessToken = context.Request.Query["access_token"];

                    // If the request is for our hub...
                    var path = context.HttpContext.Request.Path;
                    if (!string.IsNullOrEmpty(accessToken) && path.StartsWithSegments("/hubs"))
                    {
                        // Read the token out of the query string
                        context.Token = accessToken;
                    }
                }
            };
        }
    }
}

Startup.cs configuration:

            services.AddAuthentication()
                .AddIdentityServerJwt();
            services.TryAddEnumerable(
                ServiceDescriptor.Singleton<IPostConfigureOptions<JwtBearerOptions>, ConfigureJwtBearerOptions>());

[guardrex]

@BrennanConroy Do we need to cover anything in this topic given dotnet/aspnetcore#20466?

Since https://docs.microsoft.com/aspnet/core/tutorials/signalr-blazor-webassembly is a tutorial, this information would have to go in the SignalR topic if covered.

[BrennanConroy]

Do we need to cover anything in this topic given dotnet/aspnetcore#20466?

That bug is a bug in a preview product (blazor webassembly) and will be fixed by release. So I'm not sure any docs need to be written for it.

As for AddIdentityServerJwt, something should be done there as it looks un-obvious how to handle the access_token query string.