There are 2 microservices, an ocelot gateway, a web client and an authorization server (https://github.com/skoruba/Duende.IdentityServer.Admin). I want to check authorization on the gateway.
gateway configuration registered in ocelot.json
{
"GlobalConfiguration": {
"BaseUrl": "https://localhost:7280"
},
"Routes": [
{
"UpstreamPathTemplate": "/Operations/{everything}",
"UpstreamHttpMethod": [ "Get" ],
"DownstreamPathTemplate": "/Operations/{everything}",
"DownstreamScheme": "https",
"DownstreamHostAndPorts": [
{
"Host": "localhost",
"Port": 7193
}
],
"AuthenticationOptions": {
"AuthenticationProviderKey": "Bearer",
"AllowedScopes": [ "apiGateWay" ]
}
},
Startup
.ConfigureServices(s => {
var authenticationProviderKey = "Bearer";
Action<JwtBearerOptions> options = (opt) =>
{
opt.Authority = "https://sts.skoruba.local";
opt.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
};
s.AddAuthentication()
.AddJwtBearer(authenticationProviderKey, options);
s.AddOcelot();
web client I execute a request on the web client
[Route("index2")]
public async Task<string> Index2Async(int id)
{
var text = "empty";
var token = await _tokenService.GetToken("apiGateWay");
using (var client = new HttpClient())
{
client.SetBearerToken(token.AccessToken);
text = await client.GetStringAsync("https://localhost:7280/Operations/index");
}
return text;
}
public async Task<TokenResponse> _tokenService.GetToken(string scope)
{
using (var client = new HttpClient())
{
var tokenResponse = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
{
Address = _discDocument.TokenEndpoint,
ClientId = "web",
Scope = scope,
ClientSecret = "secret"
});
if (tokenResponse.IsError)
{
throw new Exception("Token Error");
}
return tokenResponse;
}
}
this is how everything works and the request is passed to the required service
but I would like the user of the web client to be authorized, so I did this.
- On the web client Program.cs
builder.Services.AddAuthentication(config =>
{
config.DefaultScheme = "Cookie";
config.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookie")
.AddOpenIdConnect("oidc", config =>
{
config.Authority = "https://sts.skoruba.local/";
config.ClientId = "web";
config.ClientSecret = "secret";
config.ResponseType = "id_token token";
config.SignedOutCallbackPath = "/Home/Index";
config.SaveTokens = true;
config.ClaimActions.DeleteClaim("amr");
config.ClaimActions.DeleteClaim("s_hash");
config.GetClaimsFromUserInfoEndpoint = true;
// configure scope
config.Scope.Add("openid");
config.Scope.Add("profile");
config.Scope.Add("roles");
config.Scope.Add("apiGateWay");
});
- I added [Authorize] to the controller to the authorization page in the identity server, it redirects there and I log in successfully. but using this token to call the request await client.GetStringAsync("https://localhost:7280/Operations/index"); I get 401 error
[Authorize]
[Route("index3")]
public async Task<string> Index3Async(int id)
{
var text = "empty";
var accessToken = await AuthenticationHttpContextExtensions.GetTokenAsync(
HttpContext, OpenIdConnectParameterNames.AccessToken);
using (var client = new HttpClient())
{
client.SetBearerToken(accessToken);
text = await client.GetStringAsync("https://localhost:7280/Operations/index");
}
return text;
}
some identity server settings, if you need additional ones, let me know
What am I doing wrong?
This configuration turned out to be working. When changing the configuration, I did not clear the cookies because of which the token was incorrect