Can Ocelot redirect unauthenticated requests to IdentityServer?

[bremnes]

Expected Behavior / New Feature

• Client_credentials request from services being negotiated, authenticated and routed to the downstream web application
• Authenticated requests from web browser being proxied through to the downstream web application
• Unauthenticated requests from web browser being redirected to identity server (which then can do external authentication with for instance google or microsoft).

Actual Behavior / Motivation for New Feature

I'm trying to set up the following scenario

• Set up both service authentication and end user/browser authentication against a legacy web application unaware of authentication. Similar to what it seems to be doing on the 'With Identity Server' of the big picture docs.

I have

• Legacy, authentication unaware, web application
• Identity server supporting HybridAndClientCredentials, ClientCredentials and external providers google and identityserver - the sample from IdentityServer's quickstart 5.
• Ocelot set up to proxy through all requests as-is, but check for authentication.

What I hoped for was that Ocelot could offload the browser authentication - detect that the browser wasn't authenticated and then redirect to the IdentityServer for authentication. But the only thing that happens is that Ocelot returns 401. (If I go to the IdentityServer "manually", log in and then go back to the web app it works.)

I've tried configuring Ocelot with the AddJwtBearer pointing to IdentityServer, but that doesn't redirect unauthenticated requests. I've also spent some time trying to add external auth (google) into Ocelot and select that scheme in configuration.json's AuthenticationOptions.AuthenticationProviderKey, but that didn't seem to work either.

... no previous request id, message: / is an authenticated route. AuthenticationMiddleware checking if client is authenticated
... IdentityApiKey was not authenticated. Failure message: Not authenticated
...  no previous request id, message: Client has NOT been authenticated for / and pipeline error set. Request for authenticated route / by  was unauthenticated

I can try to clean up the code to show what I'm currently doing, but first I just want to ask if such a scenario is even supported. Is it?

[TomPallister]

Hi @bremnes I have been away on a business trip for the last week so haven't had time to help with issues! Sorry for slow response :)

This isn't supported at the moment. Ocelot just calls authenticate on the authentication provider the user registers. I think it would need to do Challenge and then redirect the user appropriately. This is something we could consider support but I don't know enough yet to say how hard / easy it is.

If you want to take a look I would reccomend looking at AuthenticationMiddleware.cs in Ocelot and these docs in IdentityServer 4.

[AlexHarper]

Hi @TomPallister, have you had any more thoughts on this?
This would be a killer feature for us (and a lot of people I imagine) as we could run our entire stack behind Ocelot.

[elvishsu66]

I would really love this feature... In fact, I desperately need this feature at the moment 🙏

[leoshusar]

I just found this issue after literally hours of finding out why it's not redirecting... I would also really love this!

[Simkiw]

Still trying to find a way to bypass the limitation, but yeah ... just reminding it could be an awesome feature!
Keep it up Tom and every Ocelot collab

[raman-m]

@bremnes commented on Aug 5, 2018

Hi Lars!
Welcome to Ocelot world!
Did you get your answer?

[raman-m]

Wow! So high interest by Ocelot community!...
I need to prioritize this issue.
But first, let me to discuss with the team...

[raman-m]

@Simkiw @leoshusar @elvishsu66 @AlexHarper @bremnes

My main concern is that IdentityServer has been archived by the owner on Dec 13, 2022 ❗
Do you still need this feature considering the fact that IdentityServer is archived?

[leoshusar]

I wasn't using IdentityServer, I was using Keycloak SSO, so I think the feature request for me would really be redirect unauthenticated requests to either configured SSO or an issuer URL in JWT(?) (or custom field?).

But IdentityServer continues in another organization, just the original repo was archived I guess to keep the original links working.

I personally don't need this at this moment since my focus is currently on another projects and I don't know when I'll return to the microservices world.

[bremnes]

@Simkiw @leoshusar @elvishsu66 @AlexHarper @bremnes

My main concern is that IdentityServer has been archived by the owner on Dec 13, 2022 ❗ Do you still need this feature considering the fact that IdentityServer is archived?

@raman-m Thanks for picking up this issue. At the time it was IdentityServer we were using, but as @leoshusar said I guess it should be vendor/software neutral.

[raman-m]

@bremnes commented on Aug 5, 2018

@bremnes Can Ocelot redirect unauthenticated requests to IdentityServer?

It seems Not!

---

• Client_credentials request from services being negotiated, authenticated and routed to the downstream web application

We cannot implement complex auth-logic... You can override AuthenticationMiddleware and do your own thing... you control everything.
We don't see much benefits in implementation of rare user scenarios. But we welcome to introduce custom Auth-providers in Ocelot as modules. So, any contribution is welcome!

---

• Authenticated requests from web browser being proxied through to the downstream web application

Don't switch on authentication if Ocelot doesn't support such Auth-provider.
All non-auth traffic should be routed without problems.

---

• Unauthenticated requests from web browser being redirected to identity server (which then can do external authentication with for instance google or microsoft).

If you want to use external auth-providers. You need to do the following

• Define special Auth-route aka anonymous-route for those requests which responsible for authentication
• Define "happy path" route for authenticated requests
• Develop and override AuthenticationMiddleware and attach it to Ocelot pipeline to process traffic which requires Auth of the provider which is not supported by Ocelot.

Does this my answer make sense for you?

[raman-m]

@bremnes commented on Nov 30:

as @leoshusar said I guess it should be vendor/software neutral.

Well... But don't define route with switched on Auth feature, just use anonymous-route. In this case all traffic should be routed to required endpoint without any problems, including any Auth-server.
That's how to get neutrality in Auth.
Or, you can develop custom AuthenticationMiddleware and attach to Ocelot pipeline, if you want to define authenticated routes.

I see only one problem, that Ocelot can return bad status code which is not compatible to your lovely client's or Auth providers... We can collaborate on that problem. 😉

[raman-m]

@bremnes commented on Nov 30, 2023:

Thanks for picking up this issue.

We are not picking up this issue. As a team, we try to understand where to go.
This your ticket is more related to setup & development of Ocelot app for your specific user scenario. I think, this thread is rather discussion than a real feature ready for development.

---

At the time it was IdentityServer we were using,

If Identity Server was used in your project then I wonder about detailed discussion here... Your user scenario is quite common as other developers have. I recommend you just use and read my advices above. Ocelot is not so smart to do complex redirections. You need to define 2 routes: 1) unauthenticated traffic (but Ocelot cannot route some auth requests like Forms routing etc); 2) after creation of token you need 2nd route for authenticated requests with this token.

---

as @leoshusar said I guess it should be vendor/software neutral.

We use standard interfaces of standard Microsoft packages, also current integrated identity providers described here.
So, you should be able to setup your Ocelot with IS4 without critical problems.
If I understood "vendor/software neutral" in a wrong way, let me know.

Hope it helps!