Upgrade Auto-generated token from HS256

[VuNhat]

Hi guys, currently we are building a public chatbot that is using Azure Signalr Service.
We observed that the auto-generated token to azure signalr service is using HS256, which result in a failed pen-test from the client.
I'm wondering if there is any guidance to customize the JWT for negotiation step, using stronger algo. Please advise, thank you

[vicancy]

Currently, it is not customizable. If HS256 is weak, which one would you recommend? Shall we directly update the SecurityAlgorithm to make it stronger instead of making it customizable?

azure-signalr/src/Microsoft.Azure.SignalR.Common/Utilities/AuthenticationHelper.cs

Line 75 in 5f1f13f

credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);

[VuNhat]

hi @vi
I think anything stronger than RS256 should be fine, no need to be customizable. But my concern is, as we are sending this token in the url and not header, will a longer token failed to send?

[vicancy]

How about HS512? Yes, that will make the URL longer, for HTTP/1.1, or C# clients, the max URI length is 12K, that sounds enough if you don't have too many claims passing to the service.

[VuNhat]

Yes that should be good enough. Thank!

[vicancy]

Thanks for the confirmation, we will provide an option to choose between HS256 and HS512 then.