Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How can I implement policy based authorization with Ocelot? #1396

Closed
tmkhan opened this issue Dec 17, 2020 · 8 comments · Fixed by #1462
Closed

How can I implement policy based authorization with Ocelot? #1396

tmkhan opened this issue Dec 17, 2020 · 8 comments · Fixed by #1462
Assignees
@raman-m
Labels
Aggregation Ocelot feature: Request Aggregation bug Identified as a potential bug high High priority Jan'24 January 2024 release merged Issue has been merged to dev and is waiting for the next release
Milestone
January'24

Comments

@tmkhan
Copy link

tmkhan commented Dec 17, 2020
edited by raman-m
Loading

Feature

Actual Behavior

Further, I tried to access claims with HttpContext.User.Identities, but it giving null.
@tmkhan tmkhan changed the title How can I implement policy based authorization with Ocelate api gateway? Further, I tried to access claims with HttpContext.User.Identities, but it giving null. How can I implement policy based authorization with Ocelate? Further, I tried to access claims with HttpContext.User.Identities, but it giving null. Dec 17, 2020
@tmkhan tmkhan changed the title How can I implement policy based authorization with Ocelate? Further, I tried to access claims with HttpContext.User.Identities, but it giving null. How can I implement policy based authorization with Ocelot? Further, I tried to access claims with HttpContext.User.Identities, but it giving null. Dec 17, 2020
@aliprogrammer69
Copy link
Contributor

aliprogrammer69 commented Jan 31, 2021
edited
Loading

i have same problem. i tried to access to Claims with context.User.Claims but it return null.
there was no problem in version 14.0.9 before

@andrei-manulife
Copy link

I have the same problem. This has to be a bug. I cannot upgrade until I figure out why this is happening.

@aliprogrammer69
Copy link
Contributor

aliprogrammer69 commented Feb 14, 2021
edited
Loading

i checked the source code and found the problem.
this problem accouris because of "MultiplexingMiddleware:46" which this is inevitable. to solve the problem, read authorization infos (identities, claims and etc) from PreAuthenticationMiddleware

@Kation
Copy link

Kation commented May 28, 2021
edited
Loading

i checked the source code and found the problem.
this problem accouris because of "MultiplexingMiddleware:46" which this is inevitable. to solve the problem, read authorization infos (identities, claims and etc) from PreAuthenticationMiddleware

This is bad!!!
If MultiplexingMiddleware DO NOT Passing HttpContext.User, ClaimsToHeadersMiddleware will not work because it will get default ClaimsPrincipal and its claims is empty!

No source.User reference :

Ocelot/src/Ocelot/Multiplexer/MultiplexingMiddleware.cs

Lines 163 to 188 in 3ef6abd

private HttpContext Copy(HttpContext source)
{
var target = new DefaultHttpContext();
foreach (var header in source.Request.Headers)
{
target.Request.Headers.TryAdd(header.Key, header.Value);
}
target.Request.Body = source.Request.Body;
target.Request.ContentLength = source.Request.ContentLength;
target.Request.ContentType = source.Request.ContentType;
target.Request.Host = source.Request.Host;
target.Request.Method = source.Request.Method;
target.Request.Path = source.Request.Path;
target.Request.PathBase = source.Request.PathBase;
target.Request.Protocol = source.Request.Protocol;
target.Request.Query = source.Request.Query;
target.Request.QueryString = source.Request.QueryString;
target.Request.Scheme = source.Request.Scheme;
target.Request.IsHttps = source.Request.IsHttps;
target.Request.RouteValues = source.Request.RouteValues;
target.Connection.RemoteIpAddress = source.Connection.RemoteIpAddress;
target.RequestServices = source.RequestServices;
return target;
}

httpContext.User where create from MultiplexingMiddleware.Copy:

Ocelot/src/Ocelot/Headers/Middleware/ClaimsToHeadersMiddleware.cs

Line 34 in 3ef6abd

var response = _addHeadersToRequest.SetHeadersOnDownstreamRequest(downstreamRoute.ClaimsToHeaders, httpContext.User.Claims, downstreamRequest);

@Kation Kation mentioned this issue May 28, 2021
Merged
@raman-m raman-m added bug Identified as a potential bug accepted Bug or feature would be accepted as a PR or is being worked on labels Aug 24, 2023
@raman-m
Copy link
Member

raman-m commented Aug 24, 2023

The bug has been accepted due to ready PR #1462

@ggnaegi
Copy link
Member

ggnaegi commented Feb 13, 2024

@raman-m we should keep in mind that issue when refactoring the multiplexing middleware. #1826

@raman-m
Copy link
Member

raman-m commented Feb 13, 2024
edited
Loading

@ggnaegi I'd like to prioritize #1462 to merge it before your #1826

@raman-m raman-m added Aggregation Ocelot feature: Request Aggregation high High priority 2023 Annual 2023 release labels Feb 15, 2024
@raman-m raman-m added this to the Annual 2023 milestone Feb 15, 2024
@raman-m raman-m changed the title How can I implement policy based authorization with Ocelot? Further, I tried to access claims with HttpContext.User.Identities, but it giving null. How can I implement policy based authorization with Ocelot? Feb 15, 2024
@raman-m
Copy link
Member

raman-m commented Feb 15, 2024

@tmkhan on Dec 17, 2020

Hi! Regarding your question:

How can I implement policy based authorization with Ocelot?

Policy-based authentication can be implemented all time for each regular ASP.NET app mostly for all Ocelot versions. See Microsoft docs:

In version 23.0 we've delivered new Multiple Authentication Schemes feature which allows not grouping schemes but try to authenticate multiple times.
Another approach is definition of custom auth-policy grouping all required schemes and use it for authentication. But such definitions of policies are outside of Ocelot's responsibilities.

@raman-m raman-m added Jan'24 January 2024 release and removed 2023 Annual 2023 release labels Feb 15, 2024
@raman-m raman-m modified the milestones: Annual 2023, January'24 Feb 15, 2024
raman-m added a commit to Ugway77/Ocelot that referenced this issue Feb 19, 2024
@raman-m
add unit tests for ThreeMammals#1396 user scenario
81794d8
@raman-m raman-m assigned raman-m and unassigned Kation and tmkhan Feb 19, 2024
raman-m added a commit that referenced this issue Feb 22, 2024
@Ugway77 @raman-m
#1396 Lost context User in MultiplexingMiddleware (#1462)
108bede 
* Fix HttpContext.User is lost after passing MultiplexingMiddlware

* Simplify single downstream route handling

* fix

* some refactoring of long code

* add unit tests for #1396 user scenario

* Acceptance test for user forwarding

* refactor test

---------

Co-authored-by: Алексей Патрин <[email protected]>
Co-authored-by: Raman Maksimchuk <[email protected]>
@raman-m raman-m added merged Issue has been merged to dev and is waiting for the next release and removed accepted Bug or feature would be accepted as a PR or is being worked on labels Feb 23, 2024
@raman-m raman-m mentioned this issue Mar 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@raman-m raman-m

Labels
Aggregation Ocelot feature: Request Aggregation bug Identified as a potential bug high High priority Jan'24 January 2024 release merged Issue has been merged to dev and is waiting for the next release
Projects
None yet
Milestone
January'24
Development

Successfully merging a pull request may close this issue.

#1396 Lost context User in MultiplexingMiddleware Ugway77/Ocelot
6 participants
@Kation @aliprogrammer69 @tmkhan @raman-m @ggnaegi @andrei-manulife