Which version of Duende BFF are you using?
2.1.0
Which version of .NET are you using?
6.0
Describe the bug
Previous version of Bff allowed for proxying requests without access token when using YARP JSON configuration.
In version 2.1.0 this changed, and it is allowed by setting OptionalUserToken flag.
This flag is not accessible from YARP configuration or maybe I'm not aware about it.
To Reproduce
Prepare YARP configuration from JSON to proxy all requests to remote API (using wildcard)
Some remote endpoints doesn't require authentication
As anonymous execute request to remote API that allow anonymous users.
BFF doesn't allow to proxy request, returns 401
Expected behavior
BFF should allow to set YARP metadata in JSON options configuration to allow optional user token.
Log output/exception with stacktrace
dbug [Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler] AuthenticationScheme: Cookies was not authenticated.
=> RequestPath:/apiService/test RequestId:0HMRRQQ2V40UM
info [Microsoft.AspNetCore.Routing.EndpointMiddleware] Executing endpoint 'endpoint'
=> RequestPath:/apiService/test RequestId:0HMRRQQ2V40UM
trce [Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService] Starting user token acquisition
=> RequestPath:/apiService/test RequestId:0HMRRQQ2V40UM
dbug [Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService] No active user. Cannot retrieve token
=> RequestPath:/apiService/test RequestId:0HMRRQQ2V40UM
warn [Duende.Bff.Yarp.AccessTokenRequestTransform] Access token is missing. token type: 'User', local path: 'endpoint', detail: 'Missing access token'
=> RequestPath:/apiService/test RequestId:0HMRRQQ2V40UM
info [Yarp.ReverseProxy.Forwarder.HttpForwarder] Not Proxying, a 401 response was set by the transforms.
Additional context
Should BFF be responsible for authorization in this case? In my opinion it is proxied API service responsibility.
krilek
commented
1 year ago
Which version of Duende BFF are you using? 2.1.0 Which version of .NET are you using? 6.0 Describe the bug
Previous version of Bff allowed for proxying requests without access token when using YARP JSON configuration. In version 2.1.0 this changed, and it is allowed by setting OptionalUserToken flag. This flag is not accessible from YARP configuration or maybe I'm not aware about it.
To Reproduce
Prepare YARP configuration from JSON to proxy all requests to remote API (using wildcard) Some remote endpoints doesn't require authentication As anonymous execute request to remote API that allow anonymous users. BFF doesn't allow to proxy request, returns 401
Expected behavior
BFF should allow to set YARP metadata in JSON options configuration to allow optional user token.
Log output/exception with stacktrace
Additional context
Should BFF be responsible for authorization in this case? In my opinion it is proxied API service responsibility.