[SignalR] Close connection on auth expiration (#32431)

Author: BrennanConroy

src/Security/Authorization/Policy/src/PolicyEvaluator.cs

@@ -69,9 +69,15 @@ public virtual async Task<AuthenticateResult> AuthenticateAsync(AuthorizationPol
                 }
             }
 
-            return (context.User?.Identity?.IsAuthenticated ?? false)
-                ? AuthenticateResult.Success(new AuthenticationTicket(context.User, "context.User"))
-                : AuthenticateResult.NoResult();
+            // No modifications made to the HttpContext so let's use the existing result if it exists
+            return context.Features.Get<IAuthenticateResultFeature>()?.AuthenticateResult ?? DefaultAuthenticateResult(context);
+
+            static AuthenticateResult DefaultAuthenticateResult(HttpContext context)
+            {
+                return (context.User?.Identity?.IsAuthenticated ?? false)
+                    ? AuthenticateResult.Success(new AuthenticationTicket(context.User, "context.User"))
+                    : AuthenticateResult.NoResult();
+            }
         }
 
         /// <summary>

src/Security/Authorization/test/AuthorizationMiddlewareTests.cs

@@ -581,16 +581,23 @@ class TestAuthResultFeature : IAuthenticateResultFeature
         }
 
         [Fact]
-        public async Task IAuthenticateResultFeature_UsesExistingFeature()
+        public async Task IAuthenticateResultFeature_UsesExistingFeature_WithScheme()
         {
             // Arrange
-            var policy = new AuthorizationPolicyBuilder().RequireClaim("Permission", "CanViewPage").Build();
+            var policy = new AuthorizationPolicyBuilder().RequireClaim("Permission", "CanViewPage").AddAuthenticationSchemes("Bearer").Build();
             var policyProvider = new Mock<IAuthorizationPolicyProvider>();
             policyProvider.Setup(p => p.GetDefaultPolicyAsync()).ReturnsAsync(policy);
             var next = new TestRequestDelegate();
+            var authenticationService = new Mock<IAuthenticationService>();
+            authenticationService.Setup(s => s.AuthenticateAsync(It.IsAny<HttpContext>(), "Bearer"))
+                .ReturnsAsync((HttpContext c, string scheme) =>
+                {
+                    var res = AuthenticateResult.Success(new AuthenticationTicket(new ClaimsPrincipal(c.User.Identities.FirstOrDefault(i => i.AuthenticationType == scheme)), scheme));
+                    return res;
+                });
 
             var middleware = CreateMiddleware(next.Invoke, policyProvider.Object);
-            var context = GetHttpContext(endpoint: CreateEndpoint(new AuthorizeAttribute()));
+            var context = GetHttpContext(endpoint: CreateEndpoint(new AuthorizeAttribute()), authenticationService: authenticationService.Object);
             var testAuthenticateResultFeature = new TestAuthResultFeature();
             var authenticateResult = AuthenticateResult.Success(new AuthenticationTicket(new ClaimsPrincipal(), ""));
             testAuthenticateResultFeature.AuthenticateResult = authenticateResult;
@@ -600,14 +607,39 @@ public async Task IAuthenticateResultFeature_UsesExistingFeature()
             await middleware.Invoke(context);
 
             // Assert
-            Assert.True(next.Called);
             var authenticateResultFeature = context.Features.Get<IAuthenticateResultFeature>();
             Assert.NotNull(authenticateResultFeature);
             Assert.NotNull(authenticateResultFeature.AuthenticateResult);
             Assert.Same(testAuthenticateResultFeature, authenticateResultFeature);
             Assert.NotSame(authenticateResult, authenticateResultFeature.AuthenticateResult);
         }
 
+        [Fact]
+        public async Task IAuthenticateResultFeature_UsesExistingFeatureAndResult_WithoutScheme()
+        {
+            // Arrange
+            var policy = new AuthorizationPolicyBuilder().RequireClaim("Permission", "CanViewPage").Build();
+            var policyProvider = new Mock<IAuthorizationPolicyProvider>();
+            policyProvider.Setup(p => p.GetDefaultPolicyAsync()).ReturnsAsync(policy);
+            var next = new TestRequestDelegate();
+            var middleware = CreateMiddleware(next.Invoke, policyProvider.Object);
+            var context = GetHttpContext(endpoint: CreateEndpoint(new AuthorizeAttribute()));
+            var testAuthenticateResultFeature = new TestAuthResultFeature();
+            var authenticateResult = AuthenticateResult.Success(new AuthenticationTicket(new ClaimsPrincipal(), ""));
+            testAuthenticateResultFeature.AuthenticateResult = authenticateResult;
+            context.Features.Set<IAuthenticateResultFeature>(testAuthenticateResultFeature);
+
+            // Act
+            await middleware.Invoke(context);
+
+            // Assert
+            var authenticateResultFeature = context.Features.Get<IAuthenticateResultFeature>();
+            Assert.NotNull(authenticateResultFeature);
+            Assert.NotNull(authenticateResultFeature.AuthenticateResult);
+            Assert.Same(testAuthenticateResultFeature, authenticateResultFeature);
+            Assert.Same(authenticateResult, authenticateResultFeature.AuthenticateResult);
+        }
+
         private AuthorizationMiddleware CreateMiddleware(RequestDelegate requestDelegate = null, IAuthorizationPolicyProvider policyProvider = null)
         {
             requestDelegate = requestDelegate ?? ((context) => Task.CompletedTask);

src/SignalR/common/Http.Connections/src/HttpConnectionDispatcherOptions.cs

@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.IO.Pipelines;
 using System.Threading;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
 
 namespace Microsoft.AspNetCore.Http.Connections
@@ -94,6 +95,15 @@ public TimeSpan TransportSendTimeout
             }
         }
 
+        /// <summary>
+        /// Authenticated connections whose token sets the <see cref="AuthenticationProperties.ExpiresUtc"/> value will be closed
+        /// and allowed to reconnect when the token expires.
+        /// </summary>
+        /// <remarks>
+        /// Closed connections will miss messages sent while closed.
+        /// </remarks>
+        public bool CloseOnAuthenticationExpiration { get; set; }
+
         internal long TransportSendTimeoutTicks { get; private set; }
         internal bool TransportSendTimeoutEnabled => _transportSendTimeout != Timeout.InfiniteTimeSpan;
 

src/SignalR/common/Http.Connections/src/Internal/HttpConnectionContext.cs

@@ -30,7 +30,8 @@ internal class HttpConnectionContext : ConnectionContext,
                                          IHttpContextFeature,
                                          IHttpTransportFeature,
                                          IConnectionInherentKeepAliveFeature,
-                                         IConnectionLifetimeFeature
+                                         IConnectionLifetimeFeature,
+                                         IConnectionLifetimeNotificationFeature
     {
         private readonly HttpConnectionDispatcherOptions _options;
 
@@ -43,6 +44,7 @@ internal class HttpConnectionContext : ConnectionContext,
         private IDuplexPipe _application;
         private IDictionary<object, object?>? _items;
         private readonly CancellationTokenSource _connectionClosedTokenSource;
+        private readonly CancellationTokenSource _connectionCloseRequested;
 
         private CancellationTokenSource? _sendCts;
         private bool _activeSend;
@@ -87,9 +89,14 @@ public HttpConnectionContext(string connectionId, string connectionToken, ILogge
             Features.Set<IHttpTransportFeature>(this);
             Features.Set<IConnectionInherentKeepAliveFeature>(this);
             Features.Set<IConnectionLifetimeFeature>(this);
+            Features.Set<IConnectionLifetimeNotificationFeature>(this);
 
             _connectionClosedTokenSource = new CancellationTokenSource();
             ConnectionClosed = _connectionClosedTokenSource.Token;
+
+            _connectionCloseRequested = new CancellationTokenSource();
+            ConnectionClosedRequested = _connectionCloseRequested.Token;
+            AuthenticationExpiration = DateTimeOffset.MaxValue;
         }
 
         public CancellationTokenSource? Cancellation { get; set; }
@@ -104,6 +111,10 @@ public HttpConnectionContext(string connectionId, string connectionToken, ILogge
         // Used for LongPolling because we need to create a scope that spans the lifetime of multiple requests on the cloned HttpContext
         internal AsyncServiceScope? ServiceScope { get; set; }
 
+        internal DateTimeOffset AuthenticationExpiration { get; set; }
+
+        internal bool IsAuthenticationExpirationEnabled => _options.CloseOnAuthenticationExpiration;
+
         public Task? TransportTask { get; set; }
 
         public Task PreviousPollTask { get; set; } = Task.CompletedTask;
@@ -176,6 +187,8 @@ public IDuplexPipe Application
 
         public override CancellationToken ConnectionClosed { get; set; }
 
+        public CancellationToken ConnectionClosedRequested { get; set; }
+
         public override void Abort()
         {
             ThreadPool.UnsafeQueueUserWorkItem(cts => ((CancellationTokenSource)cts!).Cancel(), _connectionClosedTokenSource);
@@ -601,6 +614,11 @@ internal void StopSendCancellation()
             }
         }
 
+        public void RequestClose()
+        {
+            ThreadPool.UnsafeQueueUserWorkItem(static cts => ((CancellationTokenSource)cts!).Cancel(), _connectionCloseRequested);
+        }
+
         private static class Log
         {
             private static readonly Action<ILogger, string, Exception?> _disposingConnection =

src/SignalR/common/Http.Connections/src/Internal/HttpConnectionDispatcher.cs

@@ -10,6 +10,8 @@
 using System.Security.Principal;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Connections;
 using Microsoft.AspNetCore.Http.Connections.Internal.Transports;
 using Microsoft.AspNetCore.Http.Features;
@@ -566,13 +568,26 @@ private async Task<bool> EnsureConnectionStateAsync(HttpConnectionContext connec
             // Setup the connection state from the http context
             connection.User = connection.HttpContext?.User;
 
+            UpdateExpiration(connection, context);
+
             // Set the Connection ID on the logging scope so that logs from now on will have the
             // Connection ID metadata set.
             logScope.ConnectionId = connection.ConnectionId;
 
             return true;
         }
 
+        private static void UpdateExpiration(HttpConnectionContext connection, HttpContext context)
+        {
+            var authenticateResultFeature = context.Features.Get<IAuthenticateResultFeature>();
+
+            if (authenticateResultFeature is not null)
+            {
+                connection.AuthenticationExpiration =
+                    authenticateResultFeature.AuthenticateResult?.Properties?.ExpiresUtc ?? DateTimeOffset.MaxValue;
+            }
+        }
+
         private static void CloneUser(HttpContext newContext, HttpContext oldContext)
         {
             // If the identity is a WindowsIdentity we need to clone the User.

src/SignalR/common/Http.Connections/src/Internal/HttpConnectionManager.Log.cs

@@ -38,6 +38,9 @@ private static class Log
             private static readonly Action<ILogger, Exception?> _heartbeatEnded =
                 LoggerMessage.Define(LogLevel.Trace, new EventId(10, "HeartBeatEnded"), "Ending connection heartbeat.");
 
+            private static readonly Action<ILogger, string, Exception?> _authenticationExpired =
+                LoggerMessage.Define<string>(LogLevel.Debug, new EventId(11, "AuthenticationExpired"), "Connection {TransportConnectionId} closing because the authentication token has expired.");
+
             public static void CreatedNewConnection(ILogger logger, string connectionId)
             {
                 _createdNewConnection(logger, connectionId, null);
@@ -77,6 +80,11 @@ public static void HeartBeatEnded(ILogger logger)
             {
                 _heartbeatEnded(logger, null);
             }
+
+            public static void AuthenticationExpired(ILogger logger, string connectionId)
+            {
+                _authenticationExpired(logger, connectionId, null);
+            }
         }
     }
 }

src/SignalR/common/Http.Connections/src/Internal/HttpConnectionManager.cs

@@ -167,6 +167,13 @@ public void Scan()
 
                     // Tick the heartbeat, if the connection is still active
                     connection.TickHeartbeat();
+
+                    if (connection.IsAuthenticationExpirationEnabled && connection.AuthenticationExpiration < utcNow &&
+                        !connection.ConnectionClosedRequested.IsCancellationRequested)
+                    {
+                        Log.AuthenticationExpired(_logger, connection.ConnectionId);
+                        connection.RequestClose();
+                    }
                 }
             }
         }

src/SignalR/common/Http.Connections/src/PublicAPI.Unshipped.txt

@@ -1,5 +1,7 @@
 #nullable enable
 *REMOVED*Microsoft.AspNetCore.Http.Connections.Features.IHttpContextFeature.HttpContext.get -> Microsoft.AspNetCore.Http.HttpContext!
 Microsoft.AspNetCore.Http.Connections.Features.IHttpContextFeature.HttpContext.get -> Microsoft.AspNetCore.Http.HttpContext?
+Microsoft.AspNetCore.Http.Connections.HttpConnectionDispatcherOptions.CloseOnAuthenticationExpiration.get -> bool
+Microsoft.AspNetCore.Http.Connections.HttpConnectionDispatcherOptions.CloseOnAuthenticationExpiration.set -> void
 Microsoft.AspNetCore.Http.Connections.HttpConnectionDispatcherOptions.TransportSendTimeout.get -> System.TimeSpan
 Microsoft.AspNetCore.Http.Connections.HttpConnectionDispatcherOptions.TransportSendTimeout.set -> void