I'm currently working on a microservice architecture project that uses Ocelot for APIGateway, and IdentityServer4 for authentication and authorization. Recently, I transitioned from self-contained tokens to reference tokens for improved security.
In the current setup, each microservice sends requests to the introspection endpoint of IdentityServer to retrieve claims. However, this results in unnecessary round trips to IdentityServer when microservices communicate with each other.
To make the process more effective, I have shifted the authentication and authorization logic to the API Gateway (Ocelot). Essentially, the API Gateway would handle authentication by communicating with IdentityServer's introspection endpoint and passing the obtained claims to the backend services.
However, I've encountered a problem: the claims obtained from the introspection endpoint are not forwarded to the backend services by Ocelot.
My goal is to optimize this process and minimize round trips to IdentityServer. One approach I'm exploring is intercepting the response from the introspection endpoint within Ocelot and injecting the claims into the requests being sent to the backend services.
I'd appreciate any insights, best practices, or alternative approaches for efficiently managing authentication and authorization in this microservice architecture. I am using .NET 6, Ocelot 18.0, and IdentityServer4. Thank you!