Problem with ocelot + identity server (wrong token lets me go)

[JBuenoG]

Hi there, congratulations for this great project, it's being useful for me.

Let me talk about something about it. I think there is a problem with the authentication and authorization features.

If I have the following scenario:

Client <---> Gateway <------> IS
                     <------> Api1
                     <------> Api2

and I install and configure the IdentityServer4 Nuget packages in Api1 and Api2, when I request a token to access to Api1 and I try access to Api2 with this token, Api2 return unhaurotized (that's OK!!).

But when I remove the IdentityServer4 Nuget packages from Api1 and Api2 and I configure the reroutes in my gateway to use authentication and authorization ocelot's features (in order to not have to use IS in the apis), and then I request a token to access to Api1 and I use it to access to Api2, the gateway allow the access to Api2 (with a token requested to access to Api1!! :'( ).

Thx and great work!!.

[juancash]

Hi @JBuenoG, I've been checking the code and there isn't any test to check your scenario. I'm going to add some test to try it and I'll post something here.

[juancash]

@JBuenoG I created the PR #104 to work on this.

The problem is with an older version of the package IdentityServer4.AccessTokenValidation. If I update this package to the last version works fine, but I have found another problem with the property AllowedScopes which doesn't works correctly.

[juancash]

@JBuenoG The PR #104 has been already merged into master.