I'm trying to set up the following scenario
I have
What I hoped for was that Ocelot could offload the browser authentication - detect that the browser wasn't authenticated and then redirect to the IdentityServer for authentication. But the only thing that happens is that Ocelot returns 401. (If I go to the IdentityServer "manually", log in and then go back to the web app it works.)
I've tried configuring Ocelot with the AddJwtBearer pointing to IdentityServer, but that doesn't redirect unauthenticated requests. I've also spent some time trying to add external auth (google) into Ocelot and select that scheme in configuration.json's AuthenticationOptions.AuthenticationProviderKey, but that didn't seem to work either.
... no previous request id, message: / is an authenticated route. AuthenticationMiddleware checking if client is authenticated
... IdentityApiKey was not authenticated. Failure message: Not authenticated
... no previous request id, message: Client has NOT been authenticated for / and pipeline error set. Request for authenticated route / by was unauthenticated
I can try to clean up the code to show what I'm currently doing, but first I just want to ask if such a scenario is even supported. Is it?
Hi @bremnes I have been away on a business trip for the last week so haven't had time to help with issues! Sorry for slow response :)
This isn't supported at the moment. Ocelot just calls authenticate on the authentication provider the user registers. I think it would need to do Challenge and then redirect the user appropriately. This is something we could consider support but I don't know enough yet to say how hard / easy it is.
If you want to take a look I would reccomend looking at AuthenticationMiddleware.cs in Ocelot and these docs in IdentityServer 4.
Hi @TomPallister, have you had any more thoughts on this?
This would be a killer feature for us (and a lot of people I imagine) as we could run our entire stack behind Ocelot.
I would really love this feature... In fact, I desperately need this feature at the moment 馃檹
Most helpful comment
Hi @TomPallister, have you had any more thoughts on this?
This would be a killer feature for us (and a lot of people I imagine) as we could run our entire stack behind Ocelot.