Oauth2 Not Adding Token to Request Header #2615
Comments
|
Thanks for creating this issue. I think this happened while we migrated from fasthttp to net/http for the middlewares What I don't understand however is why you'd need the bearer token added to the request? How I thought this middleware was being used was by adding this to the app pipeline so for example calls between Dapr sidecars have the bearer token. |
|
@ItalyPaleAle We use the bearer token at the API endpoint. We validate the token and then enforce claim requirements (for example, Read, Write, ReadWrite, etc). I'm not aware of how Dapr sidecars use the token. Is their a Dapr feature somewhere that looks for the token and uses it for authorization? |
Would you mind getting a bit more into the details? What API are you referring to? Where are the calls coming from? |
|
Its an HTML client calling to an ASP.NET Web API. Right now its just a POC sample for a customer. They are also looking at APIM to do the same, but I'd like to see the Dapr component continue to improve. Program.cs: // Add JWT authentication
builder.Services.AddAuthentication()
.AddJwtBearer("Bearer", options =>
{
// Get configuration settings
var tenantId = builder.Configuration["TenantId"];
var audienceId = builder.Configuration["AudienceId"];
// Get the OpenID configuration for the tenant
var stsDiscoveryEndpoint = $"https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration";
var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
var openIdConfig = configurationManager.GetConfigurationAsync(CancellationToken.None).GetAwaiter().GetResult();
// Configure the JWT validation using OpenID configuration
options.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = openIdConfig.Issuer,
ValidAudiences = new[] { audienceId },
IssuerSigningKeys = openIdConfig.SigningKeys,
};
});
// Add authorization using scopes (enables the [RequiredScope] attribute)
builder.Services.AddRequiredScopeAuthorization();Controller example: [ProducesResponseType(typeof(IEnumerable<Todo>), StatusCodes.Status200OK)]
[RequiredScope("TodoList.Read")]
[HttpGet]
public async Task<IActionResult> Get()
{
_logger.LogInformation($"TodoController.Get() called");
return new ObjectResult(await _todos.GetList());
}I'll send you the repo which is private. |
|
Following up on our conversation on Teams. I understand the issue now, and you're right. I'll get the PR reviewed and merged. Thanks! |
Expected Behavior
Oauth2 Middleware component for Authorization Code Grant flow is supposed to add the Bearer token to a request header after authentication. This header is then sent along with the request to the app for validation and claims lookup. This works correctly in v1.9.
Actual Behavior
In v1.10, the Oauth2 Middleware component is adding the Bearer token to the Response headers instead of the Request headers. The token is going back to the client application which is not expected.
Steps to Reproduce the Problem
dapr run --app-id test --config config.yaml --components-path ./components/ --app-port 5000 -H 8080 -- dotnet run --project ./src --urls http://localhost:5000With daprd 1.9, we see the Bearer token header. In daprd 1.10, there is no Bearer token header.
Release Note
RELEASE NOTE: FIX Oauth2 middleware adds Bearer token to request headers.
The text was updated successfully, but these errors were encountered: