--- title: Authentication and authorization in ASP.NET Core SignalR author: tdykstra description: Learn how to use authentication and authorization in ASP.NET Core SignalR. monikerRange: '>= aspnetcore-2.1' ms.author: anurse ms.custom: mvc ms.date: 06/29/2018 uid: signalr/authn-and-authz --- # Authentication and authorization in ASP.NET Core SignalR By [Andrew Stanton-Nurse](https://twitter.com/anurse) [View or download sample code](https://github.com/aspnet/Docs/tree/master/aspnetcore/signalr/authn-and-authz/sample/) [(how to download)](xref:index#how-to-download-a-sample) ## Authenticate users connecting to a SignalR hub SignalR can be used with [ASP.NET Core authentication](xref:security/authentication/identity) to associate a user with each connection. In a hub, authentication data can be accessed from the [`HubConnectionContext.User`](/dotnet/api/microsoft.aspnetcore.signalr.hubconnectioncontext.user) property. Authentication allows the hub to call methods on all connections associated with a user (See [Manage users and groups in SignalR](xref:signalr/groups) for more information). Multiple connections may be associated with a single user. ### Cookie authentication In a browser-based app, cookie authentication allows your existing user credentials to automatically flow to SignalR connections. When using the browser client, no additional configuration is needed. If the user is logged in to your app, the SignalR connection automatically inherits this authentication. Cookies are a browser-specific way to send access tokens, but non-browser clients can send them. When using the [.NET Client](xref:signalr/dotnet-client), the `Cookies` property can be configured in the `.WithUrl` call in order to provide a cookie. However, using cookie authentication from the .NET Client requires the app to provide an API to exchange authentication data for a cookie. ### Bearer token authentication The client can provide an access token instead of using a cookie. The server validates the token and uses it to identify the user. This validation is done only when the connection is established. During the life of the connection, the server doesn't automatically revalidate to check for token revocation. On the server, bearer token authentication is configured using the [JWT Bearer middleware](/dotnet/api/microsoft.extensions.dependencyinjection.jwtbearerextensions.addjwtbearer). In the JavaScript client, the token can be provided using the [accessTokenFactory](xref:signalr/configuration#configure-bearer-authentication) option. [!code-typescript[Configure Access Token](authn-and-authz/sample/wwwroot/js/chat.ts?range=63-65)] In the .NET client, there is a similar [AccessTokenProvider](xref:signalr/configuration#configure-bearer-authentication) property that can be used to configure the token: ```csharp var connection = new HubConnectionBuilder() .WithUrl("https://example.com/myhub", options => { options.AccessTokenProvider = () => Task.FromResult(_myAccessToken); }) .Build(); ``` > [!NOTE] > The access token function you provide is called before **every** HTTP request made by SignalR. If you need to renew the token in order to keep the connection active (because it may expire during the connection), do so from within this function and return the updated token. In standard web APIs, bearer tokens are sent in an HTTP header. However, SignalR is unable to set these headers in browsers when using some transports. When using WebSockets and Server-Sent Events, the token is transmitted as a query string parameter. In order to support this on the server, additional configuration is required: [!code-csharp[Configure Server to accept access token from Query String](authn-and-authz/sample/Startup.cs?name=snippet)] ### Cookies vs. bearer tokens Because cookies are specific to browsers, sending them from other kinds of clients adds complexity compared to sending bearer tokens. For this reason, cookie authentication isn't recommended unless the app only needs to authenticate users from the browser client. Bearer token authentication is the recommended approach when using clients other than the browser client. ### Windows authentication If [Windows authentication](xref:security/authentication/windowsauth) is configured in your app, SignalR can use that identity to secure hubs. However, in order to send messages to individual users, you need to add a custom User ID provider. This is because the Windows authentication system doesn't provide the "Name Identifier" claim that SignalR uses to determine the user name. Add a new class that implements `IUserIdProvider` and retrieve one of the claims from the user to use as the identifier. For example, to use the "Name" claim (which is the Windows username in the form `[Domain]\[Username]`), create the following class: ```csharp public class NameUserIdProvider : IUserIdProvider { public string GetUserId(HubConnectionContext connection) { return connection.User?.FindFirst(ClaimTypes.Name)?.Value; } } ``` Rather than `ClaimTypes.Name`, you can use any value from the `User` (such as the Windows SID identifier, etc.). > [!NOTE] > The value you choose must be unique among all the users in your system. Otherwise, a message intended for one user could end up going to a different user. Register this component in your `Startup.ConfigureServices` method **after** the call to `.AddSignalR` ```csharp public void ConfigureServices(IServiceCollection services) { // ... other services ... services.AddSignalR(); services.AddSingleton(); } ``` In the .NET Client, Windows Authentication must be enabled by setting the [UseDefaultCredentials](/dotnet/api/microsoft.aspnetcore.http.connections.client.httpconnectionoptions.usedefaultcredentials) property: ```csharp var connection = new HubConnectionBuilder() .WithUrl("https://example.com/myhub", options => { options.UseDefaultCredentials = true; }) .Build(); ``` Windows Authentication is only supported by the browser client when using Microsoft Internet Explorer or Microsoft Edge. ## Authorize users to access hubs and hub methods By default, all methods in a hub can be called by an unauthenticated user. In order to require authentication, apply the [Authorize](/dotnet/api/microsoft.aspnetcore.authorization.authorizeattribute) attribute to the hub: [!code-csharp[Restrict a hub to only authorized users](authn-and-authz/sample/Hubs/ChatHub.cs?range=8-10,32)] You can use the constructor arguments and properties of the `[Authorize]` attribute to restrict access to only users matching specific [authorization policies](xref:security/authorization/policies). For example, if you have a custom authorization policy called `MyAuthorizationPolicy` you can ensure that only users matching that policy can access the hub using the following code: ```csharp [Authorize("MyAuthorizationPolicy")] public class ChatHub: Hub { } ``` Individual hub methods can have the `[Authorize]` attribute applied as well. If the current user doesn't match the policy applied to the method, an error is returned to the caller: ```csharp [Authorize] public class ChatHub: Hub { public async Task Send(string message) { // ... send a message to all users ... } [Authorize("Administrators")] public void BanUser(string userName) { // ... ban a user from the chat room (something only Administrators can do) ... } } ```