IHttpContextAccessor context always null with Azure SignalR Service

[Zenuka]

This feature request is the same as #12535 but unfortunately it's locked (just a few days ago) and I can't comment on it. For security purposes I would like to use the access token in the request (because it's not available in the claims) to get the features a user has access to from another API. The access token is probably not available in the claims because I have another workaround in place from: IdentityServer/IdentityServer4#2349 (comment)

To get the access token, locally (without Azure SignalR service) I use the IHttpContextAccessor to access the HttpContext.Request and get the token but this is not available when using the Azure SignalR service. Is it possible to allow to access the HttpContext from the IHttpContextAccessor when using Azure SignalR service?

[halter73]

Since the SignalR connection is routed through the Azure SignalR service instead of there being a direct connection to the ASP.NET Core server, there isn't any HttpContext to access. Is there any reason using HubCallerContext.User as suggested in #12535 (comment) doesn't address your use case?

[Zenuka]

I need to access the access_token to ask another API for the rights this user had based on the claims but the access token is not available in claims. Probably of the other workaround I linked in the original post.

[BrennanConroy]

We generally recommend that you grab the access_token and put it in your claims in middleware before SignalR runs.

[Zenuka]

Thanks for both your quick replies! I've spent my morning trying to store the access token as a claim again and seems I was making a stupid (and unrelated) mistake. I was using JwtBearerEvents.OnTokenValidated but this method was never called. That's because I use token introspection so I should have used OAuth2IntrospectionEvents.OnTokenValidated instead. Now I got the access token as a claim and I can access it in my AuthorizationHandlers using AuthorizationHandlerContext.User.

Just for when someone hits this issue from google, the important pieces of my solution:

services.AddAuthentication("Bearer")
        .AddIdentityServerAuthentication("Bearer",
            options =>
            {
                options.Authority = "...";
                options.ApiName = "...";
                options.ApiSecret = "..."; // Do not use 'options.JwtBearerEvents' when using introspection 
                options.TokenRetriever = CustomTokenRetriever.FromHeaderAndQueryString; // Src: https://github.com/IdentityServer/IdentityServer4/issues/2349#issuecomment-394099795
                options.OAuth2IntrospectionEvents = new OAuth2IntrospectionEvents
                {
                    OnTokenValidated = context =>
                    {
                        if (!string.IsNullOrWhiteSpace(context.SecurityToken) && context.Principal.Identity is ClaimsIdentity identity && !identity.HasClaim(c => c.Type == "access_token"))
                        {
                            identity.AddClaim(new Claim("access_token", context.SecurityToken));
                        }

                        return Task.CompletedTask;
                    }
                };
                
            });