Authentication/Authorization - Conceptual Questions #1888
-
I'm struggling to comprehend why is it so damn hard to do proper authentication/authorization if you hide your downstream services behind a gateway. Please help me to understand, and advise! So, just a quick background info. We are currently working on a modular platform (micro-frontend/microservices) where different teams can add modules freely to the same system. We only need Azure AD authentication therefore I wanted to avoid using Identity Server and having a separate issuer service implementation. I'm trying to keep it simple. As far as I understand, the fastest possible solution is if the downstream services don't do shit, we configure the Azure AD auth on Ocelot level only. That's fine I guess, but with this way claims won't be extracted automatically by the downstream services (that's why, I guess, Ocelot has this obscure claims transformation feature in the first place). I couldn't find any simple solution on the Internet to make a downstream service to accept the JWT token coming from the gateway. It's hard to believe that no one ever needed that before me. The other problem I have with this approach is that I don't want to configure the Gateway all the time when another team creates a new API endpoint. They should be able to use the [Authorize] attribute in their code to finetune their authentication/authorization requirements. But with this approach authentication won't work, unless you do many hacks/workarounds. (Downstream service URL in HTTP 302 redirections and such, you can't initiate signin at downstream level and expect from the upstream to be able to finish correctly) So, isn't here a better solution for this? Don't tell me nobody suffers from this. The web is full of utterly terrible solutions, one is worse than the other, while I don't want to reinvent the wheel here, I'm sure there must be a simple solution for this. Or am I missing something important? Please help! Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Not sure how Azure AD works, I assume it is using OAuth 2.0 / OpenID Connect with a bearer token since you are referring to claims transformation.
That's a way to do it.
By default Ocelot is forwarding headers, so Authorization header should forward the access-token as-is to downstream apis. You could parse the token there (using standard Authentication middleware in a dotnet core api for instance). But that could lead to other issues:
The solution we've opted for:
Not sure this is a perfect solution but that works for us and it is reasonably simple.
It could also be a way to simplify/restrict public endpoints. For instance, say you have a downstream route
I don't see a simple way around that. I mean the gateway is meant to control which routes can be accessed, in between an application and the apis, so each team will probably want to update the gateway at some point. Imagine an api exposed by 2 gateways (2 applications) but not all routes should be in the first gateway (it could be a public web app versus a back office for the second gateway, with more sensible actions). In our case we don't use standard Identity Users in the apis since the token used for authentication is not a end user one, but we are still able to check user claims in the apis using our dedicated UserService. Not a perfect answer, but I hope it still helps. |
Beta Was this translation helpful? Give feedback.
Not sure how Azure AD works, I assume it is using OAuth 2.0 / OpenID Connect with a bearer token since you are referring to claims transformation.
That's a way to do it.
By default Ocelot is forwarding headers, so Authorization header should forward the access-token as-is to downstream apis. You could parse the token there…