10

I am using ocelot as API gateway for my microservices with IdentityServer4 for authentication. In the ocelot config file I added "AuthenticationOptions" and set the api key. In the Startup I add the Identity server. In the identity server I use value from header to dynamically build the connection string. When I send the request to get token, headers are accessible in the identity service. But when I send next request with the token original headers are not available. Only "Host" header can be visible in the identity service.

Is there a way to keep the original header while routing the request to identity server?

Startup.cs (Add identity server)

services
    .AddAuthentication()
    .AddIdentityServerAuthentication("APIParts", options =>
    {
        options.Authority = "http://localhost:60168";
        options.RequireHttpsMetadata = false;
        options.ApiName = "Parts";
        options.SupportedTokens = SupportedTokens.Both;
    });

ocelot.json

ReRoutes": [
{
  "DownstreamPathTemplate": "/connect/token",
  "DownstreamScheme": "http",
  "DownstreamHostAndPorts": [
    {
      "Host": "localhost",
      "Port": 60168
    }
  ],
  "UpstreamPathTemplate": "/token",
  "UpstreamHttpMethod": [ "Post" ]
},
{
  "DownstreamPathTemplate": "/api/Parts/Inventory",
  "DownstreamScheme": "http",
  "DownstreamHostAndPorts": [
    {
      "Host": "localhost",
      "Port": 65241
    }
  ],
  "UpstreamPathTemplate": "/api/Parts/Inventory",
  "AuthenticationOptions": {
    "AuthenticationProviderKey": "APIParts",
    "AllowedScopes": []
  }
}]
Nkosi
  • 235,767
  • 35
  • 427
  • 472
Chamal
  • 1,439
  • 10
  • 15
  • 1
    Before going deep in it can you explain why you are using different ports for Identity Server Authentication and API's ?. I think issue might be there as when API request is generated identity authorization tries to validate the token on same port where API's are, so can you give both same port and try it. – Nauman Khan Oct 03 '19 at 11:27
  • Can you post some code that shows how you are trying to access the headers to build your connection string ? Additionally what header are you trying to read? If it's the host header u are going to have issues. – Nix Oct 10 '19 at 00:09

1 Answers1

0

I'm not familiar with Ocelot, but in my architecture I have IdentityServer running behind a Load Balancer and routed in a Kubernetes cluster via a Nginx Ingress and this required me to configure header forwarding in my IdentityServer's Startup.Configure method like so:

var forwardOptions = new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
    RequireHeaderSymmetry = false
};

forwardOptions.KnownNetworks.Clear();
forwardOptions.KnownProxies.Clear();
app.UseForwardedHeaders(forwardOptions);
Nick Cromwell
  • 254
  • 2
  • 5