DEVHIDE
Login Or Sign up

I need to create an Ocelot API Gateway with a SecurityKey per Tenant. Ideas?

282 Views Asked by At

The task before us is to create a client facing api for a multi-tenant application using .NET Core. We are gravitating towards Ocelot as the solution for our api gateway. As a multi-tenant provider a requirement for us is that each client/tenant has their own private secret JWT validation key. This feature insures that validation can be managed on a the terms of the tenant. Ocelot, however being a popular choice in .NET Core is not clear (at least to me) on how to achieve this. Any suggestions on the best way to achieve this per-tenant strategy with Ocelot would be greatly appreciated?

Thanks ahead!

c# .net jwt ocelot
Original Q&A
1

There are 1 best solutions below

0
On

The final solution surely depends on the scope of your project, how many tenants you have and how general/dynamic your code must be.

But just to give you something to start with and then you can work on it to make it more flexible:

You can define multiple authentication schemes in your gateway - one per each tenant. Each may have different issuer and different JWT signing key. In your Program.cs:

builder.Services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer("tenant1AuthScheme", 
        options =>
        {
            options.Authority = "/authority/of/tenant1";
            options.Audience = "your_audience";
            options.TokenValidationParameters = new TokenValidationParameters
            {
                IssuerSigningKey = tenant1Key
            };
        })
    .AddJwtBearer("tenant2AuthScheme", 
        options =>
        {
            options.Authority = "/authority/of/tenant2";
            options.Audience = "your_audience";
            options.TokenValidationParameters = new TokenValidationParameters
            {
                IssuerSigningKey = tenant2Key
            };
        });

Normally in Ocelot if you want to assign authentication scheme to the route you add AuthenticationOptions in ocelot config file(s) for each route:

"AuthenticationOptions": {
    "AuthenticationProviderKey": "someAuthScheme",
  }

But it won't work for you, as you probably want it to be dynamic (multiple tenants per route). In this case you can do the authentication manually by overriding AuthenticationMiddleware:

var ocelotConfig = new OcelotPipelineConfiguration
{
    AuthenticationMiddleware = async (ctx, next) =>
    {
        var downstreamRoute = ctx.Items["DownstreamRoute"] as Ocelot.Configuration.DownstreamRoute;

        if (downstreamRoute is null)
        {
            ctx.Items.Add("DownstreamResponse",
                new DownstreamResponse(new HttpResponseMessage(System.Net.HttpStatusCode.NotFound)));
            return;
        }

        bool anonymousRoute = false; // [Here should be your logic to determine anonymous routes if you have any]
        if (anonymousRoute)
        {
            await next.Invoke();
            return;
        }

        string tenantName = ""; // [Your logic to discover the tenant name, maybe by checking request header e.g. ctx.Request.Headers.Authorization]

        // [Your logic to determine the authentication scheme basing on tenant name]
        string authScheme = tenantName switch
        {
            "tenant1" => "tenant1AuthScheme",
            "tenant2" => "tenant2AuthScheme",
            _ => throw new Exception("Tenant not recognized") // returning HttpStatusCode.Unauthorized might work better in this case than throwing exception
        };

        // Authenticate the user with the chosen authentication scheme
        var authenticateResult = await ctx.AuthenticateAsync(authScheme);
        if (authenticateResult.Succeeded)
        {
            var httpContextAccessor = ctx.RequestServices.GetRequiredService<IHttpContextAccessor>();
            ctx.User = authenticateResult.Principal;
            httpContextAccessor.HttpContext.User = authenticateResult.Principal;

            await next.Invoke();
            return;
        }
        
        ctx.Items.Add("DownstreamResponse", 
            new DownstreamResponse(
                new HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized)));
    }
};

Haven't tested it but this idea might work.

As a side note - if you're building a new gateway consider YARP, it's a Microsoft project of reverse proxy which seems to have much better maintenance than Ocelot. Ocelot's head maintainer Tom Pallister has left the project and it has not been receiving much support in recent years:

https://github.com/ThreeMammals/Ocelot/issues/1539

https://github.com/dotnet/docs/issues/27445

However it looks things have improved a bit this year so it's up to you.

Related Questions in C#

Related Questions in .NET

Related Questions in JWT

Related Questions in OCELOT

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.