Background
I have two microservices that require access to IWindowsPrincipal of the calling user. I am writing an API Gateway using .Net Core 3.1 that will act as a reverse proxy for these services. I have configured Authentication and Authorization in the API Gateway as follows:
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("All allowed",
builder =>
{
builder
.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader();
});
});
services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
.AddNegotiate();
services.AddAuthorization();
services.AddControllers();
services.AddHttpForwarder();
services.AddOcelot();
services.AddSwaggerForOcelot(_configuration);
}
public void Configure(IApplicationBuilder app)
{
app.UseCors("All allowed");
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
app.UseSwaggerForOcelotUI(options =>
{
options.PathToSwaggerGenerator = "/swagger/docs";
});
app.UseOcelot();
}
Requirement
I would like to access the calling user's identity using HttpContext.User.Identity in the method of the microservices.
Actual Result
In the methods of the microservices, HttpContext.User.Identity.IsAuthenticated is false and the identity information is empty.
Question
Is there a way to configure Ocelot in the gateway so that it will Challenge the caller if necessary receive Windows Authentication information and pass it on to the microservices? If this is not possible, is the recommend way to achieve my goal, to perform implement Windows Authentication in each of the microservices? Isn't Ocelot supposed to allow me to handle Authentication in one place for all microservices?
Follow on Question 1
Ocelot's documentation refers to Authentication using a JWT. Should I conclude that Ocelot only provides JWT configuration?
Follow on Question 2
I have read a little about Yarp (https://microsoft.github.io/reverse-proxy/) Should I be using Yarp instead of Ocelot to achieve my goal?
CodePudding user response:
I thought the answer is No
Is there a way to configure Ocelot in the gateway so that it will Challenge the caller if necessary receive Windows Authentication information and pass it on to the microservices?
The problem is Windows Authentication is stateful, server and client are in the same Active Directory , you can find the note in .NET Core Windows Authentication
Windows Authentication is a stateful scenario primarily used in an intranet, where a proxy or load balancer doesn't usually handle traffic between clients and servers.
Microservices architecture requires a stateless instead stateful (means the server and client are in different AD/OS/Network). And Gateway is a stateless component in Microservices picture.
The only way Ocelot can authenticate Windows User is using Active Directory Federated Services (ADFS) with OpenID Connect (OIDC) or constructing Identity Server in the IIS Server by yourself. You can read the scenario in ADFS or Azure AD for more details.
Beside, there are my answers for two following questions:
- No, Ocelot just provides the add-in feature to detect which claims of JWT must be included before it allows the request to go through downstream. You can build the custom Authentication/Authorization middleware to allow/deny the correct upstream.
- No, YARP is the same meaning of Ocelot in your requirement.