@microsoft/signalr (JavaScript) accessTokenFactory not providing access_token query param

[dapperdandev]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Building and starting a connection with accessTokenFactory doesn't add access_token to the query parameters. The resulting request path ends up being /{hub}/negotiate?negotiateVersion=1. It should be /{hub}/negotiate?negotiateVersion=1&access_token=token given the example below.

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>

<body>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/microsoft-signalr/7.0.7/signalr.min.js"></script>
    <!-- Using this CDN is just for repro simplicity. I'm installing @microsoft/signalr and importing in ts in my real project  -->
    <script>
        const connection = new signalR.HubConnectionBuilder().withUrl("/notifications", {
            accessTokenFactory: () => "token" // should append &access_token=token to the query string
        }).build();

        connection.start().then(() => console.log('started'));
    </script>

</body>
</html>

builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
  {
      options.Authority = Environment.GetEnvironmentVariable("AUTH0_AUTHORITY_URL")
      options.Events = new JwtBearerEvents
      {
          OnMessageReceived = context =>
          {
              var accessToken = context.Request.Query["access_token"]; // no value
              var path = context.HttpContext.Request.Path;
              if (!string.IsNullOrEmpty(accessToken) &&
                  (path.StartsWithSegments("/notifications")))
              {
                  context.Token = accessToken;
              }
              return Task.CompletedTask;
          }
      };
  });

https://learn.microsoft.com/en-us/aspnet/core/signalr/authn-and-authz?view=aspnetcore-7.0#built-in-jwt-authentication

Expected Behavior

Providing the accessTokenFactory should append access_token={token} to the query params on connection.start().then(() => ...)

Steps To Reproduce

Save this html as an index.html and open it in your browser.

<title>Document</title> <script src="https://cdnjs.cloudflare.com/ajax/libs/microsoft-signalr/7.0.7/signalr.min.js"></script> <script> const connection = new signalR.HubConnectionBuilder().withUrl("/notifications", { accessTokenFactory: () => "token" // should append &access_token=token to the query string }).build();

    connection.start().then(() => console.log('started'));
</script>

Exceptions (if any)

N/A

.NET Version

7.0.203

Anything else?

No response

[mitchdenny]

Is the callback () => "token" actually getting invoked?

[mitchdenny]

Can you confirm what protocol SignalR is connecting on, its possible that the token is being sent in the Authorization header.

[dapperdandev]

@mitchdenny Just confirmed the callback is indeed invoked.

You're correct that the token is sent in the Authorization header. The negotiate request is sent over http(s). If I understand correctly, that's the default when transport isn't specified in the js/ts client.

Despite this, I realized today that my user is still being authenticated when I provide a callback with a valid token.

Does the documentation need to be updated? It reads as if we should expect the token to be in the query params given this client configuration:

// Connect, using the token we got.
this.connection = new signalR.HubConnectionBuilder()
    .withUrl("/hubs/chat", { accessTokenFactory: () => this.loginToken })
    .build();

Yet, as mentioned above, this sets the token on the Authorization header. I tested in both node and Angular.

Additionally, it doesn't seem like the browser api limitations metioned in the docs exist anymore and the code below without the OnMessageReceived event still handles authentication and allows me to authorize via the [Authorize] attribute on my hub classes and/or methods. I'm also able to access Context.UserIdentifier inside of my hubs that require authorization.

builder.Services.AddAuthentication(o =>
{
    o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
    options.Authority = <AUTHORITY>
    options.TokenValidationParameters = new TokenValidationParameters
    {
        IssuerSigningKey = <SIGNING_KEY>,
        ValidAudiences = <AUDIENCES>,
        ValidIssuers = <ISSUERS>,
        NameClaimType = ClaimTypes.NameIdentifier,
        RoleClaimType = ClaimTypes.Role,
    };
});

I'll poke this a little bit more in the next day or two. I could be wrong. I can't remember if I verified this in our Angular/browser client.

[mitchdenny]

I think it will try to negotiate a WebSocket if it can - but if you end up using long polling then the Authorization header approach will be used. So check what underlying protocol SignalR is using and it'll probably explain what is going on here.

[BrennanConroy]

Does the documentation need to be updated? It reads as if we should expect the token to be in the query params given this client configuration:

I guess you're refering to

Sending the access token in the query string is required due to a limitation in Browser APIs.

In https://learn.microsoft.com/aspnet/core/signalr/authn-and-authz?view=aspnetcore-7.0#built-in-jwt-authentication
Which only applies to WebSocket requests. So it could be updated to mention that.

[dapperdandev]

@BrennanConroy Bingo :)

The PR lgtm.

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.