Authentication with ID4

[tungphuong]

Hello,

I integrated Ocelot and ID4. It works well. But I have 2 questions:

• Currently, it will check "authentication" on all APIs of downstream service. So, in some situation, we have some APIs allow anonymous, how can we configure?
• Although we checked "authentication" at API gateway level (via Ocelot). But we also need to configure "UseAuthentication ..." at each service, is it correct? Because in each service, I need to get UserId, claim,... for authorization

Thanks,

[shivanka-thunderbolt]

I'm also having the same issue, based on the example https://www.c-sharpcorner.com/article/building-api-gateway-using-ocelot-in-asp-net-core-part-two/. API gateway should handle security by itself and all the other services should not have to worry about it. I'm not sure how it should be implemented.

[tungphuong]

In case if service does not check token again, we cannot apply authorize on that service. Because IsAuthenticated is fail and we cannot get role, claim ...

I also expect that we can have one approach to skip to handle security at service level.

[shivanka-thunderbolt]

API gateway should have the facility to check the authorisation levels before calling the downstream. so we don't have to repeat the same again in the service level. gateway should control the access.

[fauxcoding]

@shivanka-thunderbolt - I had a call with Gartner this week regarding the downstream services.

They advised that your downstream services should still verify the tokens even if they are previously verified from an API gateway. Even if the downstream services are only accessible from the API gateway.

I believe the idea is to do the auth check early but protect your services in case of a bad network configuration down the line makes them accessible.

Just wanted to share.

[TomPallister]

Hi All,

I have been away on a business trip for the last week so haven't had time to help with issues!

So either approach is fine, you can have your API gateway do authentication and have your services unauthenticated in private network...or also have the services authenticated.

If you want to use the first scenario you need a way to pass values from the token to the service e.g. as a query string param or as headers in order to do this Ocelot provides this feature @tungphuong in your case this is how you forward the UserId from the claim to the service.

Ocelot will always forward all headers to service so the second scenario is easily handled.

[tungphuong]

Thanks @TomPallister let me try it

[TomPallister]

OK cool, let me know if you need to re-open this issue.