Ocelot Authorization using Identity server

[satishviswanathan]

Expected Behavior / New Feature

Authorize and forward the request to downstream server.

Actual Behavior / Motivation for New Feature

[22:11:50 INF] Request starting HTTP/1.1 POST http://localhost:64021/api/MyService/test application/json 218
[22:11:50 INF] CORS policy execution successful.
[22:11:50 INF] requestId: 0HLM2S9NIJPHS:00000001, previousRequestId: no previous request id, message: EndpointRateLimiting is not enabled for /api/{everything}
[22:11:50 INF] requestId: 0HLM2S9NIJPHS:00000001, previousRequestId: no previous request id, message: /api/MyService/test is an authenticated route. AuthenticationMiddleware checking if client is authenticated
[22:11:50 WRN] requestId: 0HLM2S9NIJPHS:00000001, previousRequestId: no previous request id, message: Client has NOT been authenticated for /api/MyService/test and pipeline error set. Request for authenticated route /api/MyService/test by  was unauthenticated
[22:11:50 WRN] requestId: 0HLM2S9NIJPHS:00000001, previousRequestId: no previous request id, message: Request for authenticated route /api/MyService/test by  was unauthenticated
[22:11:50 WRN] requestId: 0HLM2S9NIJPHS:00000001, previousRequestId: no previous request id, message: Error Code: UnauthenticatedError Message: Request for authenticated route /api/MyService/test by  was unauthenticated errors found in ResponderMiddleware. Setting error response for request path:/api/MyService/test, request method: POST
[22:11:50 INF] Request finished in 180.6591ms 401

Ocelot configuration

{
    "ReRoutes": [
      {

        "DownstreamHostAndPorts": [
          {
            "Host": "localhost",
            "Port": 61414
          }
        ],
        "DownstreamPathTemplate": "/api/{everything}",
        "UpstreamPathTemplate": "/api/{everything}",
        "UpstreamHttpMethod": [
          "Get",
          "Post"
        ],
        "DownstreamScheme": "http",
        "AuthenticationOptions": {
          "AuthenticationProviderKey": "IdentityApiKey",
          "AllowedScopes": [ "api1" ]
        },
        "AddHeadersToRequest": {
          "Athorization": "Claims[access_token] > value > |"
         
        }
      }
    ],
    "GlobalConfiguration": {
      "RequestIdKey": "OcRequestId",
      "AdministrationPath": "/administration"
    }
  }

Steps to Reproduce the Problem

StartUp.cs

            services.AddAuthentication()
                .AddJwtBearer("IdentityApiKey", x =>
                {
                    x.Authority = "http://localhost:5000/";
                    x.RequireHttpsMetadata = false;
                    x.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
                    {
                        ValidAudiences = new[] { "api1" }
                    };
                    x.Events = new Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerEvents()
                    {
                        OnAuthenticationFailed = async ctx =>
                        {
                            int i = 0;
                        },
                        OnTokenValidated = async ctx =>
                        {
                            int i = 0;
                        },

                        OnMessageReceived = async ctx =>
                        {
                            int i = 0;
                        }
                    };
                });

I'm quite new to Ocelot and using identity server for authorization. Any help is highly appreciated.

[Mortana89]

I suppose the actual Identity server backend/store is hosted in a seperate service? If this is the case, can you try the following, this is how we do this (also with IdentityServer hosted seperately):

services.AddAuthentication()
    .AddIdentityServerAuthentication("Bearer", options =>
    {
        options.Authority = Configuration["Authentication-Authority"];
        options.RequireHttpsMetadata = true;
        options.ApiName = "apigateway";
        options.SupportedTokens = SupportedTokens.Both;
    });

Don't forget to replace the Configuration["Authentication-Authority"] with your authority endpoint.
You also need to install IdentityServer4.AccessTokenValidation package to have the .AddIdentityServerAuthentication extension! ⚠️

[raman-m]

@satishviswanathan Hi Satish!
Have you tried this recommendation?

[satishviswanathan]

@Mortana89 Thank you for your quick response.

I've modified the code according, but still getting the same error.

Log

[10:53:59 INF] Request starting HTTP/1.1 POST http://localhost:64021/api/MyService/test application/json 218
[10:53:59 INF] CORS policy execution successful.
[10:54:00 INF] requestId: 0HLM42O97FKD0:00000001, previousRequestId: no previous request id, message: EndpointRateLimiting is not enabled for /api/{everything}
[10:54:00 INF] requestId: 0HLM42O97FKD0:00000001, previousRequestId: no previous request id, message: /api/MyService/test is an authenticated route. AuthenticationMiddleware checking if client is authenticated
[10:54:00 WRN] requestId: 0HLM42O97FKD0:00000001, previousRequestId: no previous request id, message: Client has NOT been authenticated for /api/MyService/test and pipeline error set. Request for authenticated route /api/MyService/test by was unauthenticated
[10:54:00 WRN] requestId: 0HLM42O97FKD0:00000001, previousRequestId: no previous request id, message: Request for authenticated route /api/MyService/test by was unauthenticated
[10:54:00 WRN] requestId: 0HLM42O97FKD0:00000001, previousRequestId: no previous request id, message: Error Code: UnauthenticatedError Message: Request for authenticated route /api/PhysicalInventory/test by was unauthenticated errors found in ResponderMiddleware. Setting error response for request path:/api/MyService/test, request method: POST
[10:54:00 INF] Request finished in 454.7106ms 401

[raman-m]

Are you sure your token is valid for downstream service to accept?

[gilsdav]

@satishviswanathan I got the same issue.
How do you fix the problem ?

[djrhodes]

@gilsdav not sure if the OP solved his issue, but another thing to check in this scenario is that the Identity Server token itself is valid, you can verify this by hitting the IdSrv introspection endpoint with your token, and checking the response.

[gilsdav]

@djrhodes I got a blazor app that is accessible under / route on Ocelot and manage authentication with IdentityServer4 and save the code as cookie. This app works fine. You can see blazor app config here
I configured an other end-point on same Ocelot but with authentication in the Ocelot configuration. I can see all relevant cookies are sent but I receive 401 and no logs give more informations. You can see Ocelot config here

[gilsdav]

It seems to only work with Bearer header so I used http://docs.identityserver.io/en/release/quickstarts/5_hybrid_and_api_access.html