5

I am confused about SignalR, specifically when using the Azure SignalR Service and then even more so when thinking about the server-less implementation using Azure Functions.

I have a web app and an Azure Function app, which has a negotiation function implemented. The JavaScript on the client is successfully negotiating and able to connect to the Azure SignalR Service, so far so good.

Side question: Is the only thing that stops any old person connecting and getting a token the CORS setting? Is this secure enough on its own?

After this is where I get confused. I now have a Azure SignalR Service and an Azure Function app, what use does the Function App serve after the client connection to the Azure SignalR Service has been established?

In terms of client interaction I need to do things like join a group and broadcast to said group (from JavaScript on the client), I assume those would be two additional functions (Http triggers) on the function app?

Assuming I am correct on the above, how do I stop anyone from calling the 'broadcast' function via the function apps http endpoint? At least locally I am able to call it from Postman without providing any information received in the initial negotiate response.

I also need to push messages to groups from backend code (.net standard), is this done by a call to the function app or straight to the Azure SignalR Service?

Thanks in advance.

Improve this question
1
  • After a bit more reading it seems the answer might be to use the RestAPI for everything other than clients sending messages? Commented Sep 20, 2019 at 15:22

1 Answer 1

Reset to default
1

That's a great question!
I was wondering the same thing when I've started to lean towards a completely serverless approach.

Is the only thing that stops any old person connecting and getting a token the CORS setting? Is this secure enough on its own?

It sure seems this way when you start, but the answer is no.
You can authenticate your functions. Either with the built in providers, or you can authenticate yourself, by creating your own custom binding for checking the token that is passed via the header.

In terms of client interaction I need to do things like join a group and broadcast to said group (from JavaScript on the client), I assume those would be two additional functions (Http triggers) on the function app?

You are assuming correctly. If you want to go completely serverless, this is the way to go. You can authenticate the functions the same way as you authenticate your SignalR negotiating function and you will have a secure endpoint which will call the SignalR service for you.

I also need to push messages to groups from backend code (.net standard), is this done by a call to the function app or straight to the Azure SignalR Service?

This one has no right answer. That really depends on your specific architecture. Without more context, it would be hard/wrong to try to answer this question.

Oh, and if you are going serverless with SignalR, I really hope you are utilizing their bindings. :)

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for the reply. I am thinking that for the interaction from my .net standard web app I would like to the use SignalR service REST API (which I hadn't found when I wrote this post). Any recommendations on how to consume this? Just by HTTP calls? Struggling specifically with the authentication side of it. Would I be able to use the negotiate function or do I just manually build a JWT?
You could build the JWT yourself or use the negotiate function, but then you'll have to authenticate yourself to the function.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.