-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wss stopped working, cannot figure out the reason #1664
Comments
Hi Alexandis! A lot of people tries to route wss-protocol traffic via Ocelot gateway, but they failed! 🤣
Are you sure that Ocelot v18 + WSS SignalR setup is working? I would recommend you to connect to the service directly without Ocelot. Finally, |
Aha, and one more update! So, when you said:
I would say that Websockets feature is broken during .NET version upgrade. See above ☝️ |
Answering your first question - yes, suprisingly the shown configuration allowed us to befriend wss and Ocelot 18, working on localhost without hitch. |
I'm glad that my explanations helped you! Who knows maybe I will reopen this issue soon, because it has interesting specification Ocelot v18 + SignalR npm package for Angular. Finally, the team and me, are interested in support of latest release of Ocelot (v19, .NET 7 release). |
I want to finally clarify what actually happened in my case. But the mechanism with adding token to URL for authenticating wss request really works with Ocelot provided the configuration above. You just need to add the following code into HTTP request middleware:
The question of security having token in URL is another matter and needs to be discussed separately. However, there is no other way to authenticate wss request in another way, as far as I know... |
Yeah, yeah! Also, what is the problem to move auth-token to headers or even to body? If you have an intention to come back to us with well-defined WSS feature request in future, we will accept it with pleasure. |
From what I've heard lately, wss does not support passing token via header or body - only URL. |
Alexandis, options.Events = new JwtBearerEvents
{
OnMessageReceived = context =>
{
if (context.HttpContext.Request.Path.StartsWithSegments("/signalr-hubs/notification"))
{
if (context.Request.Query.TryGetValue("access_token", out StringValues accessToken))
{
context.Token = accessToken.First(); //authenticating WSS request
}
}
return Task.CompletedTask;
}
}; I've searched for the source code in Ocelot and I didn't find something similar. It looks like you forgot to register authentication, authorization services in these Ocelot features: Do you think we need to develop Websockets somehow? Is your user case covered by JWT Tokens |
@raman-m thank you - we indeed do not use these extensive Ocelot configuration options. Actually, I was not the one in the team making use of Ocelot in our system, so I don't have much detail about it. Probably these configuration options might come in handy for us if we get the issue while publishing our solution in test Azure environment (where we do not have SSL certificate and will need to use that "ignore" thing for accepting self-made certificates and so on)... I do not know in advance actually, sorry. As to my piece of the code - it is to authorize the wss request with incoming URL token on the site where SignalR hub actually resides on. It is not connected to Ocelot, but probably might be useful for someone if he meets the issues with SignalR functioning... |
Aha... After my review I see that Websockets vs SignalR don't support authentication & authorization at all. If points 11, 12 are still actual then it means we can provide some basic authorization support for downstream services via JWT token forwarding like it is implemented in your coding recipe. But for sure this recipe must be generic without any hardcoded options and/or settings. What do you thing? Also, could you upload your solution to GitHub please? You can remove real hosts for security, just replace them by localhost. Also sample project/solution can show us the possible approach and design, and we could enhance old feature or develop new feature. |
We used Ocelot 18.0 + SignalR on localhost environment, it was Angular 13.x.
We use self-signed certificates and everything worked smoothly with this simple configuration:
We upgraded to Angular 15 (the corresponding version of SignalR NPM has been updated accordingly) - I'm writing this just to emphasize there was no other relevant changes that come on my mind. And it does not work now. I cannot figure out why and probably you would give me some hint?
Could it be somehow related to Ocelot or I should exclude it from suspicion list?
The text was updated successfully, but these errors were encountered: