2

Background

I have two microservices that require access to IWindowsPrincipal of the calling user. I am writing an API Gateway using .Net Core 3.1 that will act as a reverse proxy for these services. I have configured Authentication and Authorization in the API Gateway as follows:

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddPolicy("All allowed",
            builder =>
            {
                builder
                    .AllowAnyOrigin()
                    .AllowAnyMethod()
                    .AllowAnyHeader();
            });
    });

    services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
        .AddNegotiate();
    services.AddAuthorization();

    services.AddControllers();
    services.AddHttpForwarder();
    services.AddOcelot();
    services.AddSwaggerForOcelot(_configuration);
}

public void Configure(IApplicationBuilder app)
{
    app.UseCors("All allowed");

    app.UseRouting();

    app.UseAuthentication();
    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });

    app.UseSwaggerForOcelotUI(options =>
    {
        options.PathToSwaggerGenerator = "/swagger/docs";
    });

    app.UseOcelot();
}

Requirement

I would like to access the calling user's identity using HttpContext.User.Identity in the method of the microservices.

Actual Result

In the methods of the microservices, HttpContext.User.Identity.IsAuthenticated is false and the identity information is empty.

Question

Is there a way to configure Ocelot in the gateway so that it will Challenge the caller if necessary receive Windows Authentication information and pass it on to the microservices? If this is not possible, is the recommend way to achieve my goal, to perform implement Windows Authentication in each of the microservices? Isn't Ocelot supposed to allow me to handle Authentication in one place for all microservices?

Follow on Question 1

Ocelot's documentation refers to Authentication using a JWT. Should I conclude that Ocelot only provides JWT configuration?

Follow on Question 2

I have read a little about Yarp (https://microsoft.github.io/reverse-proxy/) Should I be using Yarp instead of Ocelot to achieve my goal?

Improve this question

1 Answer 1

Reset to default
1

I thought the answer is No

Is there a way to configure Ocelot in the gateway so that it will Challenge the caller if necessary receive Windows Authentication information and pass it on to the microservices?

The problem is Windows Authentication is stateful, server and client are in the same Active Directory , you can find the note in .NET Core Windows Authentication

Windows Authentication is a stateful scenario primarily used in an intranet, where a proxy or load balancer doesn't usually handle traffic between clients and servers.

Microservices architecture requires a stateless instead stateful (means the server and client are in different AD/OS/Network). And Gateway is a stateless component in Microservices picture.

The only way Ocelot can authenticate Windows User is using Active Directory Federated Services (ADFS) with OpenID Connect (OIDC) or constructing Identity Server in the IIS Server by yourself. You can read the scenario in ADFS or Azure AD for more details.

Beside, there are my answers for two following questions:

  1. No, Ocelot just provides the add-in feature to detect which claims of JWT must be included before it allows the request to go through downstream. You can build the custom Authentication/Authorization middleware to allow/deny the correct upstream.
  2. No, YARP is the same meaning of Ocelot in your requirement.
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

But after the gateway has challenged the users it receives the identity in the form of headers. Why can't ocelot forward those headers to the API end points?
As I said, Windows Authentication is stateful and the main problem is the mechanism belongs to IIS Server and Windows OS. Both must be joined the same AD, Network . The mechanism isn't only acquired Form Header, it requires the web server authentication mechanism supports Windows Authentication in Network level. Imagine you have web app (client), Gateway (proxy) and Api (web service). If you want to perform the request go through Gateway and Api, they must be stayed on the same network, same AD. This point is a bad practice in Microservices
Also, user isn't only authenticated in Gateway level but also in API level. To compare with SSO, Windows authentication is more complicated to setup this scenario. SSO just requires to use JWT to pass around the servers and server can authenticate JWT itself without third component, whereas Windows Authentication requires the server must authenticate by communicating with AD Server
Thank you for your answers. I am accepting the answer.
This is addressed in github.com/ThreeMammals/Ocelot/pull/1521

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.