-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include NameIdentifier claim in Azure function negotiate method using TypeScript #493
Comments
@jrmcdona are you using Azure SignalR function extension binding? So you can assign this value in functions.json like below. You may take our js sample for some reference. Let me know if you have any further questions.
|
@JialinXin So in order to populate "userId": "{headers.x-ms-signalr-userid}" with a value we need to add App service authentication to our Azure function? I want to add my client is only receiving messages. My clients is not sending any messages. I will be using REST API to send messages to the client/user. https://docs.microsoft.com/en-us/azure/azure-signalr/signalr-quickstart-rest-api#send-user In your sample, it looks like the userid value is getting added when a message is being sent via function method. But in the REST API how would this look like? I am going to try it like this with a header in my Angular app - see the getSignalRConnetion method where I pass x-ms-signalr-userid header:
|
@jrmcdona Yeah. You did it in the right way. You can name |
@JialinXin cool, I was able to get it working! |
@JialinXin one additional thing. Do you feel this is secure enough? Or do we need another level of security in the Function apps? I don't want anybody to grab endpoints from the client side and generate all of the necessary tokens to be able to hit the Azure SignalR service. Thanks |
From what I can tell, this is not secure. Even without thinking about SignalR, how does your function app authenticate it’s users (how does it know the user is who they say they are)? |
@anthonychu I agree. This is for a 1st party Microsoft app and I think the Authentication providers are not made for 1st party apps. I would say certainly Microsoft Account is not. I think it may be easier once we get Azure AD converged endpoints rolled out for 1st party but they are not. Let me know if you know anything more about this topic. I will see if I can get some auth going in the function. In a traditional web API asp.net project or core project you set everyhing up in startup.cs such as the RPS bits needed for Microsoft accounts. |
@anthonychu @JialinXin So I am looking more into this for AAD. Since this is an API call we do not want to use App service authentication. Instead we would be using Bearer token authentication, something like this. Unless I am missing somthing? Something like this: https://blog.wille-zone.de/post/secure-azure-functions-with-jwt-token/ However, what I do not know is in this case how to get the NameIdentifier passed on to the SignalR service from the Negotiate method? |
Because SignalRConnectionInfo is an input binding, what you are hoping to do is a bit awkward but possible.
If you'd like to chat about it, I'm currently on vacation but feel free to set up a meeting with me later on this week. We can talk through it and update this issue with the outcome. |
Right now the userId in function.json isn't really useful, as in a real scenario you shouldn't trust whoever the client claim he is. In a real world scenario your negotiate should be protected by some authentication mechanism by yourself and in the negotiate you should get the identity from the authenticated user and put it to the SignalR access token. Take the JWT token way you mentioned as an example, you should first validate the JWT token of the negotiate function, get the userId from the claims, then put it to the negotiate result. The problem is it's not easy to finish it in a simple expression in function.json. For now please refer to this example for how to do it in javascript: |
@chenkennt @anthonychu This also give me the ClaimsPrincipal if the user is authorized and allows me to get the Name Identifier. Once that is done, I am trying to GenerateAccessToken and add the Name identifier claim but the token is Unauthorized: I am also using this sample too that was mentioned: Error: Can you all see anything I am doing wrong here?
|
I needed to use the URL of the Hub and not the Endpoint. |
@jrmcdona If you’re using C#, you can also use the binding to generate the token with a user ID like this: https://gist.github.com/ErikAndreas/72c94a0c8a9e6e632f44522c41be8ee7 It might be better than doing this yourself in case anything changes in the future. |
How do we include NameIdentifier claim in Azure function negotiate method using TypeScript?
I am calling negotiate API from an Angular app that has an authenticated user. When I generate an access token my negotiate method, I am not sure how to add in nameIdentifier.
I will be using REST API to send message to single clients.
The text was updated successfully, but these errors were encountered: