Is there an example of using .NET Core authorization policies with ServiceStack based apis?
I have setup a .net core based ServiceStack site, I also have created an authorization policy. The next step, which I am having trouble with is injecting the authorization service into the ServiceStack implementation and passing in the user principal to the authorization service.
Whilst ServiceStack doesn't know anything about .NET Core's Authentication, you can access the User assigned to the underlying .NET Core Request in your filters with:
GlobalRequestFilters.Add((req, res, requestDto) => {
if (req.OriginalRequest is HttpRequest netcoreReq)
{
var user = netcoreReq.HttpContext.user;
}
});
Related
Background
I have two microservices that require access to IWindowsPrincipal of the calling user.
I am writing an API Gateway using .Net Core 3.1 that will act as a reverse proxy for these services.
I have configured Authentication and Authorization in the API Gateway as follows:
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("All allowed",
builder =>
{
builder
.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader();
});
});
services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
.AddNegotiate();
services.AddAuthorization();
services.AddControllers();
services.AddHttpForwarder();
services.AddOcelot();
services.AddSwaggerForOcelot(_configuration);
}
public void Configure(IApplicationBuilder app)
{
app.UseCors("All allowed");
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
app.UseSwaggerForOcelotUI(options =>
{
options.PathToSwaggerGenerator = "/swagger/docs";
});
app.UseOcelot();
}
Requirement
I would like to access the calling user's identity using HttpContext.User.Identity
in the method of the microservices.
Actual Result
In the methods of the microservices, HttpContext.User.Identity.IsAuthenticated is false and the identity information is empty.
Question
Is there a way to configure Ocelot in the gateway so that it will Challenge the caller if necessary receive Windows Authentication information and pass it on to the microservices?
If this is not possible, is the recommend way to achieve my goal, to perform implement Windows Authentication in each of the microservices?
Isn't Ocelot supposed to allow me to handle Authentication in one place for all microservices?
Follow on Question 1
Ocelot's documentation refers to Authentication using a JWT.
Should I conclude that Ocelot only provides JWT configuration?
Follow on Question 2
I have read a little about Yarp (https://microsoft.github.io/reverse-proxy/)
Should I be using Yarp instead of Ocelot to achieve my goal?
I thought the answer is No
Is there a way to configure Ocelot in the gateway so that it will Challenge the caller if necessary receive Windows Authentication information and pass it on to the microservices?
The problem is Windows Authentication is stateful, server and client are in the same Active Directory , you can find the note in .NET Core Windows Authentication
Windows Authentication is a stateful scenario primarily used in an intranet, where a proxy or load balancer doesn't usually handle traffic between clients and servers.
Microservices architecture requires a stateless instead stateful (means the server and client are in different AD/OS/Network). And Gateway is a stateless component in Microservices picture.
The only way Ocelot can authenticate Windows User is using Active Directory Federated Services (ADFS) with OpenID Connect (OIDC) or constructing Identity Server in the IIS Server by yourself. You can read the scenario in ADFS or Azure AD for more details.
Beside, there are my answers for two following questions:
No, Ocelot just provides the add-in feature to detect which claims of JWT must be included before it allows the request to go through downstream. You can build the custom Authentication/Authorization middleware to allow/deny the correct upstream.
No, YARP is the same meaning of Ocelot in your requirement.
I have a single ASP.NET Core 3.1.8 web application which uses ASP.NET Identity.
Now I've added some externally callable REST API.
I am stuck on how to add token(?) based authentication to my API.
It seems that ASP.NET Identity does not support API authentication. In my old .NET Framework Web App I used
app.UseOAuthBearerTokens(OAuthOptions);
so I had a token endpoint, where external client could ask for a valid token.
Now I read about to have API authentication I should use either AD or AD B2C or IdentityServer 4. I am OK with IdentityServer 4 option, but something is not clear
IdentityServer will completely replace my ASP.NET Identity? I still want to use the login UI and my existing interactive login logic and UI.
I've read about plug in ASP Identity to IdentityServer 4. So do I have to integrate my existing ASP Identity with IdentityServer 4?
Is it OK to host IdentityServer 4 within the very same Web App, where the UI, and the API is hosted?
I've tried to read the ASP.NET Core repo's source both the 3.1.8 and 5.0.0-rc.1, to get some direction. I would not like to go in some direction what will be considered as suboptimal in the next .NET 5 release. I know that there is a complete another way to solve this: AD or AD B2C, and I also have a solution template for that. As an alternative I would like to have a "self contained" solution too, so that's why I invested to ASP Identity. What would be the righ future direction in this track (self-contained) to implement external API authentication?
To protect the API itself you typically use the following:
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "https://localhost:5001";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
I recommend that if you use IdentityServer, you should put it on its own service, because otherwise its really hard to figure out what's going on and who is doing what.
IdentityServer does not deal with users, so you need to implement the user database (signup/forgotten password...) by yourself. You can use ASP.NET Identity for that.
IdentityServer will completely replace my ASP.NET Identity?
I would say that it depends on your needs, in some cases IdentityServer replaces ASP.NET Identity, and in some cases not. If you just have a single service to protect, then IdentityServer is probably overkill, because there's a lot to learn.
I have an ASP.NET Core 3.1 API which already uses OAuth for authorization. I added healthchecks middleware and I would like to make it protected with basic auth so that client which check the health status can simply provide credentials to check the service health.
So far I did not manage to configure it for the healthcheck endpoint.
Any clue how this can be added?
You can use RequireAuthorization method. For example:
app.UseEndpoints(endpoints =>
{
endpoints.MapHealthChecks("/health").RequireAuthorization();
});
I have a custom AuthenticationHandler built to tie into the Claims-based authorization in ASP.NET Core. Is it possible for ServiceStack to re-use this component, or will I have to implement it as a custom AuthProvider?
Have a look at the new mvcidentity .NET Core template which shows an example of using ASP.NET identity Auth to protect both MVC and ServiceStack Services.
The integration is enabled with the new NetCoreIdentityAuthProvider which provides a bidirectional adapter that converts between an ASP.NET Core ClaimsPrincipal and a ServiceStack User Session.
We are building ASP.NET MVC core web app and accessing data through ASP.NET Core Web API.
We have to give authentication and authorization to both MVC Core and Web API Core side.
If user is authenticated in MVC core web app then while accessing the data on web API core it is should not again authenticate. If user is directly accessing the web API then it should not allow and ask for authentication.
We also want to give authentication through Google.
For WebAPI I suggest token based authentication, Google support OAuth.
I suggest you take a look at the following link:
https://stormpath.com/blog/token-authentication-asp-net-core
There are some community-led efforts to build rich token authentication functionality for ASP.NET Core:
AspNet.Security.OpenIdConnect.Server – Similar to the OAuth Authorization Server middleware for ASP.NET 4.x.
OpenIddict – Wraps OpenIdConnect.Server up into an easier-to-use package that plugs into ASP.NET Identity.
IdentityServer4 – A port of Thinktecture IdentityServer3 to .NET Core.
All of them have sample MVC and API apps. Enjoy.