-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initializing Azure SignalR using UseAzureSignalR
doesn't facilitate examining Authorization metadata soon enough like UseEndpoints
does.
#1602
Comments
After further review (when reproducing in sample), I have realized that the expected behavior occurs when using Is there a valid use case for |
UseAzureSignalR
doesn't facilitate an Authorization check soon enough like UseEndpoints
does.
Sounds a bug to look into. |
UseAzureSignalR
doesn't facilitate an Authorization check soon enough like UseEndpoints
does.UseAzureSignalR
doesn't facilitate an Authorization check soon enough like UseEndpoints
does.
UseAzureSignalR
doesn't facilitate an Authorization check soon enough like UseEndpoints
does.UseAzureSignalR
doesn't facilitate examining Authorization metadata soon enough like UseEndpoints
does.
Thanks for your detailed feedback. This issue will be solved by #1605 , which obsoletes We find that Endpoint routing is adopted by SignalR since ASP.NET Core 3.0 and supports customized auth policy. After that,
|
Describe the bug
Using
UseAzureSignalR
does not inspect theHub
objects forAuthorizeAttributes
prior to making the/negotiate
call like ASP .NET Core SignalR does. This results in Negotiation authorization to behave incorrectly. Authorization for Azure SignalR only takes place between the negotiate calls and the redirection to Azure SignalR, but if Authorization to/negotiate
fails, then the Authorization check against the Hubs can never happen.How does it work in ASP .NET SignalR?
In ASP .NET Core SignalR, after a hub is started and a negotiation takes place, the
DefaultHubDispatcher
calls a method calledIsHubMethodAuthorized
here:https://github.com/dotnet/aspnetcore/blob/0ee742c53f2669fd7233df6da89db5e8ab944585/src/SignalR/server/Core/src/Internal/DefaultHubDispatcher.cs#L568
This uses the
HubMethodDescriptor.Policies
to determine if the user is Authorized to perform negotiation. Those sameHubMethodDescriptor.Policies
are accumulated using the following code:https://github.com/dotnet/aspnetcore/blob/0ee742c53f2669fd7233df6da89db5e8ab944585/src/SignalR/server/Core/src/Internal/DefaultHubDispatcher.cs#L658
This looks at the Hubs, and grabs the
AuthorizeAttribute
s off each to build up a list ofIAuthorizeData
(policies).This allows ASP .NET Core to properly handle Authorization of Hubs exactly like Authorization of standard controller endpoints. This logic should probably be used in Azure SignalR as well so that policies can be enforced (or not enforced) in the same way.
I will add, I think the primary place that this metadata gets added to the
/negotiate
endpoints is right here:https://github.com/dotnet/aspnetcore/blob/de3019b7dab5b5995942db1fbec6aa466c4af34c/src/SignalR/common/Http.Connections/src/ConnectionEndpointRouteBuilderExtensions.cs#L118
To Reproduce
See this forked branch -> https://github.com/mhintzke/azure-signalr/tree/matt/reproduce-1602
Just add a connection string and then toggle
ShouldUseAzureSignalR
app setting betweentrue
andfalse
and load the app. You will see that when using Azure SignalR we get a 401 on the/negotiate
(because theFallbackPolicy
is used) but on ASP .NET SignalR we get a 200.Simply setup a
FallbackPolicy
that will always fail authorization and a "foobar" policy (it can do anything, but you can set a breakpoint on this and see that it is never be invoked) using native ASP .NETAddAuthorization
method. Then, add[Authorize(Policy = "foobar")]
to a Hub and try to negotiate with it. You will see that rather than using"foobar"
to Authorize, it uses theFallbackPolicy
and will therefore fail Authorization. SettingFallbackPolicy
back tonull
then allows the/negotiate
endpoint to pass Authorization upstream from Azure SignalR endpoint and then the Hub authorizes correctly.Further technical details
The text was updated successfully, but these errors were encountered: