Ocelot: [Question] Can Ocelot redirect unauthenticated requests to IdentityServer?

Created on 5 Aug 2018  路  3Comments  路  Source: ThreeMammals/Ocelot

Expected Behavior / New Feature

  • Client_credentials request from services being negotiated, authenticated and routed to the downstream web application
  • Authenticated requests from web browser being proxied through to the downstream web application
  • Unauthenticated requests from web browser being redirected to identity server (which then can do external authentication with for instance google or microsoft).

Actual Behavior / Motivation for New Feature

I'm trying to set up the following scenario

I have

  • Legacy, authentication unaware, web application
  • Identity server supporting HybridAndClientCredentials, ClientCredentials and external providers google and identityserver - the sample from IdentityServer's quickstart 5.
  • Ocelot set up to proxy through all requests as-is, but check for authentication.

What I hoped for was that Ocelot could offload the browser authentication - detect that the browser wasn't authenticated and then redirect to the IdentityServer for authentication. But the only thing that happens is that Ocelot returns 401. (If I go to the IdentityServer "manually", log in and then go back to the web app it works.)

I've tried configuring Ocelot with the AddJwtBearer pointing to IdentityServer, but that doesn't redirect unauthenticated requests. I've also spent some time trying to add external auth (google) into Ocelot and select that scheme in configuration.json's AuthenticationOptions.AuthenticationProviderKey, but that didn't seem to work either.

... no previous request id, message: / is an authenticated route. AuthenticationMiddleware checking if client is authenticated
... IdentityApiKey was not authenticated. Failure message: Not authenticated
...  no previous request id, message: Client has NOT been authenticated for / and pipeline error set. Request for authenticated route / by  was unauthenticated

I can try to clean up the code to show what I'm currently doing, but first I just want to ask if such a scenario is even supported. Is it?

enhancement help wanted medium effort

Most helpful comment

Hi @TomPallister, have you had any more thoughts on this?
This would be a killer feature for us (and a lot of people I imagine) as we could run our entire stack behind Ocelot.

All 3 comments

Hi @bremnes I have been away on a business trip for the last week so haven't had time to help with issues! Sorry for slow response :)

This isn't supported at the moment. Ocelot just calls authenticate on the authentication provider the user registers. I think it would need to do Challenge and then redirect the user appropriately. This is something we could consider support but I don't know enough yet to say how hard / easy it is.

If you want to take a look I would reccomend looking at AuthenticationMiddleware.cs in Ocelot and these docs in IdentityServer 4.

Hi @TomPallister, have you had any more thoughts on this?
This would be a killer feature for us (and a lot of people I imagine) as we could run our entire stack behind Ocelot.

I would really love this feature... In fact, I desperately need this feature at the moment 馃檹

Was this page helpful?
0 / 5 - 0 ratings

Related issues

wayne-o picture wayne-o  路  6Comments

secret-agent-B picture secret-agent-B  路  4Comments

ioritzalberdi picture ioritzalberdi  路  5Comments

piyey picture piyey  路  6Comments

mogliang picture mogliang  路  3Comments