Better SignalR documentation for authentication

[cirrusone]

Are there any working code samples for net5.0 or net6.0 on how to authenticate users using Identity and tokens?

I have a working tutorial without authentication Use ASP.NET Core SignalR with Blazor

The steps for authentication and authorization have code samples but seem incomplete Authentication and authorization in ASP.NET Core SignalR

How is the variable _myAccessToken set here?

var connection = new HubConnectionBuilder()
    .WithUrl("https://example.com/chathub", options =>
    { 
        options.AccessTokenProvider = () => Task.FromResult(_myAccessToken);
    })
    .Build();

For Built-in JWT authentication what goes here options.Authority = /* TODO: Insert Authority URL here */;?

If I add [Authorize] to the hub I would expect I can only send messages if I login, but I get an error on the client System.Net.Http.HttpRequestException HResult=0x80131500 Message=Response status code does not indicate success: 401 (Unauthorized).

It looks like I need to add a token to the client but I cannot work out how from the docs. Can anyone help?

    [Authorize]
    public class MessageHub : Hub
    {
        public async Task SendMessage(string user, string message)
        {
            await Clients.All.SendAsync("ReceiveMessage", user, message);
        }
    }

TestMessageHub.razor:

@page "/testmessagehub"
@using Microsoft.AspNetCore.SignalR.Client
@inject NavigationManager NavigationManager
@implements IAsyncDisposable

<div class="form-group">
    <label>
        User:
        <input @bind="userInput" />
    </label>
</div>
<div class="form-group">
    <label>
        Message:
        <input @bind="messageInput" size="50" />
    </label>
</div>
<button @onclick="Send" disabled="@(!IsConnected)">Send</button>

<hr>

<ul id="messagesList">
    @foreach (var message in messages)
    {
        <li>@message</li>
    }
</ul>

@code {
    private HubConnection hubConnection = null!;
    private List<string> messages = new List<string>();
    private string userInput = null!;
    private string messageInput = null!;

    protected override async Task OnInitializedAsync()
    {

        hubConnection = new HubConnectionBuilder()
            .WithUrl(NavigationManager.ToAbsoluteUri("/messagehub"))
            .Build();

        hubConnection.On<string, string>("ReceiveMessage", (user, message) =>
        {
            var encodedMsg = $"{user}: {message}";
            messages.Add(encodedMsg);
            StateHasChanged();
        });

        await hubConnection.StartAsync();
    }

    async Task Send() =>
        await hubConnection.SendAsync("SendMessage", userInput, messageInput);

    public bool IsConnected =>
        hubConnection.State == HubConnectionState.Connected;

    public async ValueTask DisposeAsync()
    {
        if (hubConnection is not null)
        {
            await hubConnection.DisposeAsync();
        }
    }
}

Program.cs:

using Test.Areas.Identity;
using Test.Data;
using Test.Hubs;
using Test.Services.Mail;
using Microsoft.AspNetCore.Components.Authorization;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.ResponseCompression;
using Microsoft.EntityFrameworkCore;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
var connectionString = builder.Configuration.GetConnectionString("DefaultConnection");
builder.Services.AddDbContext<ApplicationDbContext>(options =>
    options.UseSqlServer(connectionString));
builder.Services.AddDatabaseDeveloperPageExceptionFilter();

builder.Services.AddIdentity<ApplicationUser, ApplicationRole>(options => options.SignIn.RequireConfirmedAccount = true)
        .AddEntityFrameworkStores<ApplicationDbContext>()
        .AddTokenProvider<DataProtectorTokenProvider<ApplicationUser>>(TokenOptions.DefaultProvider)
        .AddDefaultUI();

builder.Services.AddRazorPages();
builder.Services.AddServerSideBlazor();
builder.Services.AddScoped<AuthenticationStateProvider, RevalidatingIdentityAuthenticationStateProvider<ApplicationUser>>();
builder.Services.AddSingleton<WeatherForecastService>();

builder.Services.Configure<DataProtectionTokenProviderOptions>(o => o.TokenLifespan = TimeSpan.FromHours(24)); // Default is one day anyway but set incase later versions change
builder.Services.Configure<EMailSettings>(builder.Configuration.GetSection("EMailSettings"));
builder.Services.AddTransient<IEmailSender, EmailSender>();


builder.Services.AddResponseCompression(opts =>
{
    opts.MimeTypes = ResponseCompressionDefaults.MimeTypes.Concat(new[] { "application/octet-stream" });
});

var app = builder.Build();

app.UseResponseCompression();

// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
    app.UseMigrationsEndPoint();
}
else
{
    app.UseExceptionHandler("/Error");
    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
    app.UseHsts();
}

app.UseHttpsRedirection();

app.UseStaticFiles();

app.UseRouting();

app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();
app.MapBlazorHub();
app.MapHub<MessageHub>("/messagehub");
app.MapFallbackToPage("/_Host");

app.Run();

[davidfowl]

How is the variable _myAccessToken set here?

Where is your access token coming from?

[cirrusone]

I think I'm just using the default token provider defined in Program.cs as

builder.Services.AddIdentity<ApplicationUser, ApplicationRole>(options => options.SignIn.RequireConfirmedAccount = true)
        .AddEntityFrameworkStores<ApplicationDbContext>()
        .AddTokenProvider<DataProtectorTokenProvider<ApplicationUser>>(TokenOptions.DefaultProvider)
        .AddDefaultUI();

this generates tokens correctly for identity if I need to reset password etc.

I have no idea how to set the token for SignalR/Blazor?

At the moment I'm trying to send messages within the Blazor app only when logged in with Identity but eventually want to extend to using Blazor Server and external console client.

[davidfowl]

I see, so you're looking cookie authentication in a Blazor web assembly application?

[cirrusone]

I see, so you're looking cookie authentication in a Blazor web assembly application?

I think so except I'm current using Blazor Server rather than Blazor web assembly. As long as the SignalR hub and client on Blazor will only send for logged in users only, eg [Authorize] or [Authorize(Roles = "X","Y","Z")] etc.

Bonus would be example of a console .NET client having ability to login to same Blazor Server Identity so that both Blazor Server and .NET client can message each other based on Identity users and roles.

I'm using custom ApplicationUser and ApplicationRole with int primary key in example above.

[cirrusone]

This is my current solution which I've got working between Blazor Server and console client but without authorization. SignalR.zip

[GKotfis]

@cirrusone Maybe this snippet will help you. We're using OnMessageReceived event to take token from query params and pass it through.

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
    // omitted for breviety 
    
    options.Events = new JwtBearerEvents
    {
        OnMessageReceived = context =>
        {
            var accessToken = context.Request.Query["access_token"];
            var path = context.HttpContext.Request.Path;
            
            if (!string.IsNullOrEmpty(accessToken) && path.StartsWithSegments("/hubs"))
            {
                context.Token = accessToken;
            }
            return Task.CompletedTask;
        }
    };
});

Thanks to that, we can [Authorize] on Hubs and read claims etc.