Ocelot: How to receive multiple values in a Claim?

Created on 19 Feb 2018  路  12Comments  路  Source: ThreeMammals/Ocelot

Hello, I麓m having a problem, in your guide I found this:
"RouteClaimsRequirement": {
"UserType": "registered"
},
And I try this:
"RouteClaimsRequirement": {
"Role": "User"
},
but if I send a User that have more than one Role(In my case the user haver User and AdminRoles) Ocelot return a 403, is there any way to do this?... thanks in advance

bug question

All 12 comments

@FerAguilarR93 this might be a bug.

Let me look into it and get back to you asap!

@FerAguilarR93

If you turn the Ocelot logs to debug level can you send me the logs for a failing request?

I think that your Claim might look like below and Ocelot cannot handle it. If that is the case I will fix asap.

new ClaimsPrincipal(new ClaimsIdentity(new List<Claim>
                {
                    new Claim("Role", "User, AdminUser"),
                }

or (but i expect this to work)

new ClaimsPrincipal(new ClaimsIdentity(new List<Claim>
                {
                    new Claim("Role", "User"),
                    new Claim("Role", "AdminUser"),
                }

@FerAguilarR93 also are you sure that the claim is in your token? Are you able to inspect the token?

Sorry for taking, this is what the log has:

Application Insights Telemetry (unconfigured): {"name":"Microsoft.ApplicationInsights.Message","time":"2018-02-21T18:58:56.2337363Z","tags":{"ai.location.ip":"172.18.0.1","ai.operation.id":"4df572f9-4c6e35b8d5a528a2","ai.internal.nodeName":"b9dbbe19d28a","ai.operation.name":"POST /fake/smtp","ai.operation.parentId":"|4df572f9-4c6e35b8d5a528a2.","ai.internal.sdkVersion":"aspnet5c:2.1.1","ai.application.ver":"1.0.0.0","ai.cloud.roleInstance":"b9dbbe19d28a"},"data":{"baseType":"MessageData","baseData":{"ver":2,"message":"Request starting HTTP/1.1 POST http://localhost:32778/fake/smtp application/json 0","severityLevel":"Information","properties":{"Host":"localhost:32778","ContentLength":"0","Scheme":"http","Method":"POST","Protocol":"HTTP/1.1","CategoryName":"Microsoft.AspNetCore.Hosting.Internal.WebHost","AspNetCoreEnvironment":"Development","ContentType":"application/json","Path":"/fake/smtp"}}}}
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 POST http://localhost:32778/fake/smtp application/json 0
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
Failed to validate the token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJTZXJ2aWNlVHlwZSI6IldFQiIsIkN1c3RvbVJvbCI6WyJBZG1pbiIsIlVzZXIiXSwibmJmIjoxNTE5MjM5MzU1LCJleHAiOjE1MTkyMzk0MTUsImlzcyI6IkFkdmFuIiwiYXVkIjoiQWxsIn0.3Jd5UMlKQlLzeUzI3tkn0X9P0rI9VT9bzRROveA8jJw.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidLifetimeException: IDX10230: Lifetime validation failed. Delegate returned false, securitytoken: '{"alg":"----","typ":"JWT"}.{"ServiceType":"----","CustomRol":["Admin","User"],"nbf":1519239355,"exp":1519239415,"iss":"----","aud":"All"}'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwt, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.d__6.MoveNext()
Application Insights Telemetry (unconfigured): {"name":"Microsoft.ApplicationInsights.Exception","time":"2018-02-21T18:58:56.2389320Z","tags":{"ai.location.ip":"172.18.0.1","ai.operation.id":"4df572f9-4c6e35b8d5a528a2","ai.internal.nodeName":"b9dbbe19d28a","ai.operation.name":"POST /fake/smtp","ai.operation.parentId":"|4df572f9-4c6e35b8d5a528a2.","ai.internal.sdkVersion":"aspnet5c:2.1.1","ai.application.ver":"1.0.0.0","ai.cloud.roleInstance":"b9dbbe19d28a"},"data":{"baseType":"ExceptionData","baseData":{"ver":2,"properties":{"{OriginalFormat}":"Failed to validate the token {Token}.","Token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJTZXJ2aWNlVHlwZSI6IldFQiIsIkN1c3RvbVJvbCI6WyJBZG1pbiIsIlVzZXIiXSwibmJmIjoxNTE5MjM5MzU1LCJleHAiOjE1MTkyMzk0MTUsImlzcyI6IkFkdmFuIiwiYXVkIjoiQWxsIn0.3Jd5UMlKQlLzeUzI3tkn0X9P0rI9VT9bzRROveA8jJw","CategoryName":"Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler","AspNetCoreEnvironment":"Development","Exception":"Microsoft.IdentityModel.Tokens.SecurityTokenInvalidLifetimeException: IDX10230: Lifetime validation failed. Delegate returned false, securitytoken: '{\"alg\":\"----\",\"typ\":\"JWT\"}.{\"ServiceType\":\"----\",\"CustomRol\":[\"Admin\",\"User\"],\"nbf\":1519239355,\"exp\":1519239415,\"iss\":\"----\",\"aud\":\"All\"}'.\n at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwt, TokenValidationParameters validationParameters)\n at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)\n at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.d__6.MoveNext()"},"exceptions":[{"id":47422476,"typeName":"Microsoft.IdentityModel.Tokens.SecurityTokenInvalidLifetimeException","message":"Failed to validate the token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJTZXJ2aWNlVHlwZSI6IldFQiIsIkN1c3RvbVJvbCI6WyJBZG1pbiIsIlVzZXIiXSwibmJmIjoxNTE5MjM5MzU1LCJleHAiOjE1MTkyMzk0MTUsImlzcyI6IkFkdmFuIiwiYXVkIjoiQWxsIn0.3Jd5UMlKQlLzeUzI3tkn0X9P0rI9VT9bzRROveA8jJw.","hasFullStack":true,"parsedStack":[{"level":0,"method":"System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload","assembly":"System.IdentityModel.Tokens.Jwt, Version=5.1.4.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"},{"level":1,"method":"System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken","assembly":"System.IdentityModel.Tokens.Jwt, Version=5.1.4.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"},{"level":2,"method":"Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler+d__6.MoveNext","assembly":"Microsoft.AspNetCore.Authentication.JwtBearer, Version=2.0.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60"}]}],"severityLevel":"Information"}}}
Application Insights Telemetry (unconfigured): {"name":"Microsoft.ApplicationInsights.Message","time":"2018-02-21T18:58:56.2467000Z","tags":{"ai.location.ip":"172.18.0.1","ai.operation.id":"4df572f9-4c6e35b8d5a528a2","ai.internal.nodeName":"b9dbbe19d28a","ai.operation.name":"POST /fake/smtp","ai.operation.parentId":"|4df572f9-4c6e35b8d5a528a2.","ai.internal.sdkVersion":"aspnet5c:2.1.1","ai.application.ver":"1.0.0.0","ai.cloud.roleInstance":"b9dbbe19d28a"},"data":{"baseType":"MessageData","baseData":{"ver":2,"message":"ownsecurity was not authenticated. Failure message: IDX10230: Lifetime validation failed. Delegate returned false, securitytoken: '{\"alg\":\"----\",\"typ\":\"JWT\"}.{\"ServiceType\":\"----\",\"CustomRol\":[\"Admin\",\"User\"],\"nbf\":1519239355,\"exp\":1519239415,\"iss\":\"----\",\"aud\":\"All\"}'.","severityLevel":"Information","properties":{"AuthenticationScheme":"ownsecurity ","{OriginalFormat}":"{AuthenticationScheme} was not authenticated. Failure message: {FailureMessage}","FailureMessage":"IDX10230: Lifetime validation failed. Delegate returned false, securitytoken: '{\"alg\":\"----\",\"typ\":\"JWT\"}.{\"ServiceType\":\"----\",\"CustomRol\":[\"Admin\",\"User\"],\"nbf\":1519239355,\"exp\":1519239415,\"iss\":\"----\",\"aud\":\"All\"}'.","CategoryName":"Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler","AspNetCoreEnvironment":"Development"}}}}
Application Insights Telemetry (unconfigured): {"name":"Microsoft.ApplicationInsights.Message","time":"2018-02-21T18:58:56.2533344Z","tags":{"ai.location.ip":"172.18.0.1","ai.operation.id":"4df572f9-4c6e35b8d5a528a2","ai.internal.nodeName":"b9dbbe19d28a","ai.operation.name":"POST /fake/smtp","ai.operation.parentId":"|4df572f9-4c6e35b8d5a528a2.","ai.internal.sdkVersion":"aspnet5c:2.1.1","ai.application.ver":"1.0.0.0","ai.cloud.roleInstance":"b9dbbe19d28a"},"data":{"baseType":"MessageData","baseData":{"ver":2,"message":"ownsecurity was not authenticated. Failure message: IDX10230: Lifetime validation failed. Delegate returned false, securitytoken: '{\"alg\":\"----\",\"typ\":\"JWT\"}.{\"ServiceType\":\"----\",\"CustomRol\":[\"Admin\",\"User\"],\"nbf\":1519239355,\"exp\":1519239415,\"iss\":\"----\",\"aud\":\"All\"}'.","severityLevel":"Information","properties":{"AuthenticationScheme":"ownsecurity","{OriginalFormat}":"{AuthenticationScheme} was not authenticated. Failure message: {FailureMessage}","FailureMessage":"IDX10230: Lifetime validation failed. Delegate returned false, securitytoken: '{\"alg\":\"----\",\"typ\":\"JWT\"}.{\"ServiceType\":\"----\",\"CustomRol\":[\"Admin\",\"User\"],\"nbf\":1519239355,\"exp\":1519239415,\"iss\":\"----\",\"aud\":\"All\"}'.","CategoryName":"Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler","AspNetCoreEnvironment":"Development"}}}}
Application Insights Telemetry (unconfigured): {"name":"Microsoft.ApplicationInsights.Message","time":"2018-02-21T18:58:56.2585905Z","tags":{"ai.location.ip":"172.18.0.1","ai.operation.id":"4df572f9-4c6e35b8d5a528a2","ai.internal.nodeName":"b9dbbe19d28a","ai.operation.name":"POST /fake/smtp","ai.operation.parentId":"|4df572f9-4c6e35b8d5a528a2.","ai.internal.sdkVersion":"aspnet5c:2.1.1","ai.application.ver":"1.0.0.0","ai.cloud.roleInstance":"b9dbbe19d28a"},"data":{"baseType":"MessageData","baseData":{"ver":2,"message":"requestId: no request id, previousRequestId: no previous request id, message: Client has NOT been authenticated for /fake/smtp and pipeline error set. Error Code: UnauthenticatedError Message: Request for authenticated route /fake/smtp by was unauthenticated","severityLevel":"Error","properties":{"message":"Client has NOT been authenticated for /fake/smtp and pipeline error set. Error Code: UnauthenticatedError Message: Request for authenticated route /fake/smtp by was unauthenticated","{OriginalFormat}":"requestId: {requestId}, previousRequestId: {previousRequestId}, message: {message}","requestId":"no request id","previousRequestId":"no previous request id","CategoryName":"Ocelot.Authentication.Middleware.AuthenticationMiddleware","AspNetCoreEnvironment":"Development"}}}}
Application Insights Telemetry (unconfigured): {"name":"Microsoft.ApplicationInsights.Message","time":"2018-02-21T18:58:56.2629689Z","tags":{"ai.location.ip":"172.18.0.1","ai.operation.id":"4df572f9-4c6e35b8d5a528a2","ai.internal.nodeName":"b9dbbe19d28a","ai.operation.name":"POST /fake/smtp","ai.operation.parentId":"|4df572f9-4c6e35b8d5a528a2.","ai.internal.sdkVersion":"aspnet5c:2.1.1","ai.application.ver":"1.0.0.0","ai.cloud.roleInstance":"b9dbbe19d28a"},"data":{"baseType":"MessageData","baseData":{"ver":2,"message":"requestId: no request id, previousRequestId: no previous request id, message: 1 pipeline errors found in ResponderMiddleware. Setting error response status code","severityLevel":"Error","properties":{"message":"1 pipeline errors found in ResponderMiddleware. Setting error response status code","{OriginalFormat}":"requestId: {requestId}, previousRequestId: {previousRequestId}, message: {message}","requestId":"no request id","previousRequestId":"no previous request id","CategoryName":"Ocelot.Responder.Middleware.ResponderMiddleware","AspNetCoreEnvironment":"Development"}}}}
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
ownsecurity was not authenticated. Failure message: IDX10230: Lifetime validation failed. Delegate returned false, securitytoken: '{"alg":"----","typ":"JWT"}.{"ServiceType":"----","CustomRol":["Admin","User"],"nbf":1519239355,"exp":1519239415,"iss":"----","aud":"All"}'.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
ownsecurity was not authenticated. Failure message: IDX10230: Lifetime validation failed. Delegate returned false, securitytoken: '{"alg":"----","typ":"JWT"}.{"ServiceType":"----","CustomRol":["Admin","User"],"nbf":1519239355,"exp":1519239415,"iss":"----","aud":"All"}'.
fail: Ocelot.Authentication.Middleware.AuthenticationMiddleware[0]
requestId: no request id, previousRequestId: no previous request id, message: Client has NOT been authenticated for /fake/smtp and pipeline error set. Error Code: UnauthenticatedError Message: Request for authenticated route /fake/smtp by was unauthenticated
fail: Ocelot.Responder.Middleware.ResponderMiddleware[0]
requestId: no request id, previousRequestId: no previous request id, message: 1 pipeline errors found in ResponderMiddleware. Setting error response status code
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 33.9202ms 401
Application Insights Telemetry (unconfigured): {"name":"Microsoft.ApplicationInsights.Message","time":"2018-02-21T18:58:56.2676341Z","tags":{"ai.location.ip":"172.18.0.1","ai.operation.id":"4df572f9-4c6e35b8d5a528a2","ai.internal.nodeName":"b9dbbe19d28a","ai.operation.name":"POST /fake/smtp","ai.operation.parentId":"|4df572f9-4c6e35b8d5a528a2.","ai.internal.sdkVersion":"aspnet5c:2.1.1","ai.application.ver":"1.0.0.0","ai.cloud.roleInstance":"b9dbbe19d28a"},"data":{"baseType":"MessageData","baseData":{"ver":2,"message":"Request finished in 33.9202ms 401","severityLevel":"Information","properties":{"ElapsedMilliseconds":"33.9202","StatusCode":"401","CategoryName":"Microsoft.AspNetCore.Hosting.Internal.WebHost","AspNetCoreEnvironment":"Development"}}}}
Application Insights Telemetry (unconfigured): {"name":"Microsoft.ApplicationInsights.Request","time":"2018-02-21T18:58:56.2336364Z","tags":{"ai.location.ip":"172.18.0.1","ai.operation.id":"4df572f9-4c6e35b8d5a528a2","ai.internal.nodeName":"b9dbbe19d28a","ai.operation.name":"POST /fake/smtp","ai.internal.sdkVersion":"aspnet5c:2.1.1","ai.application.ver":"1.0.0.0","ai.cloud.roleInstance":"b9dbbe19d28a"},"data":{"baseType":"RequestData","baseData":{"ver":2,"id":"|4df572f9-4c6e35b8d5a528a2.","name":"POST /fake/smtp","duration":"00:00:00.0388016","success":false,"responseCode":"401","url":"http://localhost:32778/fake/smtp","properties":{"httpMethod":"POST","AspNetCoreEnvironment":"Development"}}}}

The claims are in my token, my CustomRol have Admin and User Roles in this trace we can look them, and when in my configuration.json I put this:

"RouteClaimsRequirement": {
        "CustomRol": "Admin"
      }

It works because Ocelot take the first value but if I put this:

"RouteClaimsRequirement": {
        "CustomRol": "User"
      }

401 statuscode is returned

I put all log, but the important part is in bold text, thank you for your help

@FerAguilarR93 thanks for the information...so I think Ocelot needs to check all claims of the same type for the value.

I'm not sure how internally asp.net will translate CustomRol":["Admin","User"] it might turn that array into multiple objects of type claim or a claim with a comma delimited list of values.

Anyway I will get this fixed asap!

Thank you for your time and help :)

@FerAguilarR93 no worries!

Please try Install-Package Ocelot -Version 3.1.6 / latest develop if you use the source code and let me know if this fixes the problem!

I confirm that the problem is solved, it works correctly ... Thank you

@FerAguilarR93 awesome! Thanks for finding it and helping me fix it ;)

I do not know about the old version (3.1.6) in which you say the problem had been fixed, the latest version (14.0.5) of Ocelot has the same problem. I cannot assign an array of roles in ocelot.json file:
for example "role": ["user","admin"] , I get "not found" result.

Hi All, I'm having similar issues with 14.1.0; I cannot assign an array of roles in ocelot.json file:
for example "role": ["user","admin"]. "claim value: is not the same as required value: TestR for type: Role errors found in ResponderMiddleware" this in turn returns a 403 Forbidden

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Ehrys picture Ehrys  路  5Comments

nagybalint001 picture nagybalint001  路  4Comments

FerAguilarR93 picture FerAguilarR93  路  3Comments

cpiock picture cpiock  路  4Comments

ioritzalberdi picture ioritzalberdi  路  5Comments