Мне удалось аутентифицировать мои вызовы api в ocelot с помощью identityserver4, как описано здесь , но когда запрос поступает в целевую службу, заголовок авторизации кажется там, но он не может проверить области, утверждения, et c.
Когда из моего SPA я делаю аутентифицированный вызов в / test / weatherforecast, я получаю это в журналах ocelot:
Request starting HTTP/2 OPTIONS https://localhost:5005/test/weatherforecast
[11:35:59 INF] Request starting HTTP/2 OPTIONS https://localhost:5005/test/weatherforecast <s:Microsoft.AspNetCore.Hosting.Diagnostics>
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]
CORS policy execution successful.
[11:35:59 INF] CORS policy execution successful. <s:Microsoft.AspNetCore.Cors.Infrastructure.CorsService>
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished in 41.902ms 204
[11:35:59 INF] Request finished in 41.902ms 204 <s:Microsoft.AspNetCore.Hosting.Diagnostics>
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/2 GET https://localhost:5005/test/weatherforecast application/json
[11:35:59 INF] Request starting HTTP/2 GET https://localhost:5005/test/weatherforecast application/json <s:Microsoft.AspNetCore.Hosting.Diagnostics>
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]
CORS policy execution successful.
[11:35:59 INF] CORS policy execution successful. <s:Microsoft.AspNetCore.Cors.Infrastructure.CorsService>
info: Ocelot.RateLimit.Middleware.ClientRateLimitMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: EndpointRateLimiting is not enabled for /{everything}
[11:35:59 INF] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: EndpointRateLimiting is not enabled for /{everything} <s:Ocelot.RateLimit.Middleware.ClientRateLimitMiddleware>
info: Ocelot.Authentication.Middleware.AuthenticationMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: /test/weatherforecast is an authenticated route. AuthenticationMiddleware checking if client is authenticated
[11:35:59 INF] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: /test/weatherforecast is an authenticated route. AuthenticationMiddleware checking if client is authenticated <s:Ocelot.Authentication.Middleware.AuthenticationMiddleware>
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[2]
Successfully validated the token.
[11:36:00 INF] Successfully validated the token. <s:Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler>
info: Ocelot.Authentication.Middleware.AuthenticationMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: Client has been authenticated for /test/weatherforecast
[11:36:00 INF] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: Client has been authenticated for /test/weatherforecast <s:Ocelot.Authentication.Middleware.AuthenticationMiddleware>
info: Ocelot.Authorisation.Middleware.AuthorisationMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: route is authenticated scopes must be checked
[11:36:00 INF] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: route is authenticated scopes must be checked <s:Ocelot.Authorisation.Middleware.AuthorisationMiddleware>
info: Ocelot.Authorisation.Middleware.AuthorisationMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: user scopes is authorised calling next authorisation checks
[11:36:00 INF] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: user scopes is authorised calling next authorisation checks <s:Ocelot.Authorisation.Middleware.AuthorisationMiddleware>
info: Ocelot.Authorisation.Middleware.AuthorisationMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: /{everything} route does not require user to be authorised
[11:36:00 INF] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: /{everything} route does not require user to be authorised <s:Ocelot.Authorisation.Middleware.AuthorisationMiddleware>
warn: Ocelot.Requester.Middleware.HttpRequesterMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: 401 (Unauthorized) status code, request uri: http://webapplication1/weatherforecast
[11:36:01 WRN] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: 401 (Unauthorized) status code, request uri: http://webapplication1/weatherforecast <s:Ocelot.Requester.Middleware.HttpRequesterMiddleware>
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished in 1622.9384ms 401
[11:36:01 INF] Request finished in 1622.9384ms 401 <s:Microsoft.AspNetCore.Hosting.Diagnostics>
My ocelot startup.cs
[...]
var authenticationProviderKey = "TestKey";
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(authenticationProviderKey, options =>
{
options.Authority = "https://identity";
options.ApiName = "myproject.api";
options.SupportedTokens = SupportedTokens.Both;
});
[...]
ocelot config
{
"Routes": [
{
"ReRouteIsCaseSensitive": false,
"DownstreamPathTemplate": "/{everything}",
"DownstreamScheme": "http",
"DownstreamHostAndPorts": [
{
"Host": "webapplication1",
"Port": 80
}
],
"UpstreamPathTemplate": "/test/{everything}",
"AuthenticationOptions": {
"AuthenticationProviderKey": "TestKey",
"AllowedScopes": ["api"]
}
}
],
"GlobalConfiguration": {
// "BaseUrl": "https://api.mybusiness.com"
}
}
my service startup.cs
[...]
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "https://identity";
});
[...]
my service controller
[ApiController]
[Authorize]
[Route("[controller]")]
public class WeatherForecastController : ControllerBase
{
[HttpGet]
public IEnumerable<WeatherForecast> Get()
{
[...default stuff...]
Пользователь, который выполняет вызов, также другие претензии и роль, я попытался проверить их, но в сервисном контроллере User пуст