Improve documentation on role or user change during SignalR connection lifetime#37289
Open
cincuranet wants to merge 4 commits into
Open
Improve documentation on role or user change during SignalR connection lifetime#37289cincuranet wants to merge 4 commits into
cincuranet wants to merge 4 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the SignalR authentication/authorization documentation to clarify how authorization behaves when a user’s roles/claims change after a SignalR connection is established.
Changes:
- Adds a new section explaining that SignalR caches the authenticated principal for the lifetime of a connection, so role/claim updates aren’t reflected on existing connections.
- Provides guidance on mitigation options (closing connections or performing “current data” checks).
- Updates the bearer-token section to reference the new guidance.
BrennanConroy
approved these changes
Jun 26, 2026
BrennanConroy
left a comment
BrennanConroy
left a comment
Member
There was a problem hiding this comment.
Content looks good, will leave it for the docs writers to review for flow and style.
Contributor
|
...reviewing |
wadepickett
reviewed
Jun 26, 2026
| * A user is signed in with the `Editor` role and has an open SignalR connection. | ||
| * The app removes the `Editor` role from that user. | ||
|
|
||
| On the next long-poll request, the authentication middleware might authenticate the user without the `Editor` role (for example, if roles are loaded from a data store or the cookie is refreshed). However, the hub continues to authorize the user's `[Authorize(Roles = "Editor")]` hub method invocations because `Context.User` (<xref:Microsoft.AspNetCore.SignalR.HubCallerContext.User?displayProperty=nameWithType>) still holds the principal that was cached before the role was removed. The user can keep calling `Editor`-only hub methods until the connection is closed. |
Contributor
There was a problem hiding this comment.
Suggested change
| On the next long-poll request, the authentication middleware might authenticate the user without the `Editor` role (for example, if roles are loaded from a data store or the cookie is refreshed). However, the hub continues to authorize the user's `[Authorize(Roles = "Editor")]` hub method invocations because `Context.User` (<xref:Microsoft.AspNetCore.SignalR.HubCallerContext.User?displayProperty=nameWithType>) still holds the principal that was cached before the role was removed. The user can keep calling `Editor`-only hub methods until the connection is closed. | |
| On the next long-poll request, the authentication middleware might authenticate the user without the `Editor` role. For example, this can happen if roles are loaded from a data store or the cookie is refreshed. However, the hub continues to authorize the user's `[Authorize(Roles = "Editor")]` hub method invocations because `Context.User` (<xref:Microsoft.AspNetCore.SignalR.HubCallerContext.User?displayProperty=nameWithType>) still holds the principal that was cached before the role was removed. The user can keep calling `Editor`-only hub methods until the connection is closed. |
Minor item: Breaking up into seperate sentances to improve readability.
wadepickett
approved these changes
Jun 26, 2026
wadepickett
left a comment
wadepickett
left a comment
Contributor
There was a problem hiding this comment.
Approved. Well done, looks great! I could only find a very minor item which I provided a suggestion for you inline.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes dotnet/aspnetcore#66718.
Internal previews