search

ThreeMammals / Ocelot

.NET API Gateway
https://www.nuget.org/packages/Ocelot
MIT License
8.31k stars 1.63k forks source link

Can Ocelot redirect unauthenticated requests to IdentityServer? #532

Closed bremnes closed 8 months ago

bremnes commented 6 years ago

Expected Behavior / New Feature

Actual Behavior / Motivation for New Feature

I'm trying to set up the following scenario

I have

What I hoped for was that Ocelot could offload the browser authentication - detect that the browser wasn't authenticated and then redirect to the IdentityServer for authentication. But the only thing that happens is that Ocelot returns 401. (If I go to the IdentityServer "manually", log in and then go back to the web app it works.)

I've tried configuring Ocelot with the AddJwtBearer pointing to IdentityServer, but that doesn't redirect unauthenticated requests. I've also spent some time trying to add external auth (google) into Ocelot and select that scheme in configuration.json's AuthenticationOptions.AuthenticationProviderKey, but that didn't seem to work either. 

... no previous request id, message: / is an authenticated route. AuthenticationMiddleware checking if client is authenticated
... IdentityApiKey was not authenticated. Failure message: Not authenticated
...  no previous request id, message: Client has NOT been authenticated for / and pipeline error set. Request for authenticated route / by  was unauthenticated

I can try to clean up the code to show what I'm currently doing, but first I just want to ask if such a scenario is even supported. Is it?

TomPallister commented 6 years ago

Hi @bremnes I have been away on a business trip for the last week so haven't had time to help with issues! Sorry for slow response :)

This isn't supported at the moment. Ocelot just calls authenticate on the authentication provider the user registers. I think it would need to do Challenge and then redirect the user appropriately. This is something we could consider support but I don't know enough yet to say how hard / easy it is.

If you want to take a look I would reccomend looking at AuthenticationMiddleware.cs in Ocelot and these docs in IdentityServer 4.

AlexHarper commented 5 years ago

Hi @TomPallister, have you had any more thoughts on this? This would be a killer feature for us (and a lot of people I imagine) as we could run our entire stack behind Ocelot.

elvishsu66 commented 4 years ago

I would really love this feature... In fact, I desperately need this feature at the moment 🙏

leoshusar commented 3 years ago

I just found this issue after literally hours of finding out why it's not redirecting... I would also really love this!

Simkiw commented 2 years ago

Still trying to find a way to bypass the limitation, but yeah ... just reminding it could be an awesome feature! Keep it up Tom and every Ocelot collab

raman-m commented 9 months ago

@bremnes commented on Aug 5, 2018

Hi Lars! Welcome to Ocelot world! Did you get your answer?

raman-m commented 9 months ago

Wow! So high interest by Ocelot community!... I need to prioritize this issue. But first, let me to discuss with the team...

raman-m commented 9 months ago

@Simkiw @leoshusar @elvishsu66 @AlexHarper @bremnes

My main concern is that IdentityServer has been archived by the owner on Dec 13, 2022 ❗ Do you still need this feature considering the fact that IdentityServer is archived?

leoshusar commented 9 months ago

I wasn't using IdentityServer, I was using Keycloak SSO, so I think the feature request for me would really be redirect unauthenticated requests to either configured SSO or an issuer URL in JWT(?) (or custom field?).

But IdentityServer continues in another organization, just the original repo was archived I guess to keep the original links working.

I personally don't need this at this moment since my focus is currently on another projects and I don't know when I'll return to the microservices world.

bremnes commented 9 months ago

@Simkiw @leoshusar @elvishsu66 @AlexHarper @bremnes

My main concern is that IdentityServer has been archived by the owner on Dec 13, 2022 ❗ Do you still need this feature considering the fact that IdentityServer is archived?

@raman-m Thanks for picking up this issue. At the time it was IdentityServer we were using, but as @leoshusar said I guess it should be vendor/software neutral.

raman-m commented 9 months ago

@bremnes commented on Aug 5, 2018

@bremnes Can Ocelot redirect unauthenticated requests to IdentityServer?

It seems Not!

  • Client_credentials request from services being negotiated, authenticated and routed to the downstream web application

We cannot implement complex auth-logic... You can override AuthenticationMiddleware and do your own thing... you control everything. We don't see much benefits in implementation of rare user scenarios. But we welcome to introduce custom Auth-providers in Ocelot as modules. So, any contribution is welcome!

  • Authenticated requests from web browser being proxied through to the downstream web application

Don't switch on authentication if Ocelot doesn't support such Auth-provider. All non-auth traffic should be routed without problems.

  • Unauthenticated requests from web browser being redirected to identity server (which then can do external authentication with for instance google or microsoft).

If you want to use external auth-providers. You need to do the following

Does this my answer make sense for you?

raman-m commented 9 months ago

@bremnes commented on Nov 30:

as @leoshusar said I guess it should be vendor/software neutral.

Well... But don't define route with switched on Auth feature, just use anonymous-route. In this case all traffic should be routed to required endpoint without any problems, including any Auth-server. That's how to get neutrality in Auth. Or, you can develop custom AuthenticationMiddleware and attach to Ocelot pipeline, if you want to define authenticated routes.

I see only one problem, that Ocelot can return bad status code which is not compatible to your lovely client's or Auth providers... We can collaborate on that problem. 😉

raman-m commented 8 months ago

@bremnes commented on Nov 30, 2023:

Thanks for picking up this issue.

We are not picking up this issue. As a team, we try to understand where to go. This your ticket is more related to setup & development of Ocelot app for your specific user scenario. I think, this thread is rather discussion than a real feature ready for development.

At the time it was IdentityServer we were using,

If Identity Server was used in your project then I wonder about detailed discussion here... Your user scenario is quite common as other developers have. I recommend you just use and read my advices above. Ocelot is not so smart to do complex redirections. You need to define 2 routes: 1) unauthenticated traffic (but Ocelot cannot route some auth requests like Forms routing etc); 2) after creation of token you need 2nd route for authenticated requests with this token.

as @leoshusar said I guess it should be vendor/software neutral.

We use standard interfaces of standard Microsoft packages, also current integrated identity providers described here. So, you should be able to setup your Ocelot with IS4 without critical problems. If I understood "vendor/software neutral" in a wrong way, let me know.

Hope it helps!

raman-m commented 8 months ago

Attentions, all participants of this thread!

Going to convert this issue to a discussion, because it is not ready (and seems it will not be ready) for development.