Can we think Ocelot as API Resource

[swetha-adb]

Hi Tom,
My Application has Identity Server to issue the tokens to Angular Client.
Ocelot is the API Gate Way.
API Services are Product, User

Identity Server:

API Resources:

public static IEnumerable GetApiResources()
{
return new[]
{
new ApiResource
{
Name = "Product",
DisplayName = "Product",
Description = "Allow the application to access Product on your behalf",
Scopes = new List { "Product.read", "Product.write", "Prodcut"},
UserClaims = new List {"role"}
},
new ApiResource
{
Name = "User",
DisplayName = "User",
Description = "Allow the application to access User on your behalf",
Scopes = new List { "User.read", "User.write", "User"},
UserClaims = new List {"role"}
},
new ApiResource
{
Name = "ApiGatewayService",
DisplayName = "This is ocelot api gateway",
Description = "Allow the application to get the token",
Scopes = new List { "Product","User" ,"ApiGatewayService","Product.read", "Product.write", "User.read", "User.write"},
UserClaims = new List {"role"}

            }

        };
    }

Client Setting

new Client
            {
                ClientId = "democlient",
                ClientName = "Demo Client",
                AllowedGrantTypes = GrantTypes.Code,
                AccessTokenType = AccessTokenType.Jwt,
                RequireConsent = true,
                AccessTokenLifetime = 14400,// 330 seconds, default 60 minutes
                IdentityTokenLifetime = 14400,
                RequireClientSecret = false,
                RequirePkce = true,
                AllowAccessTokensViaBrowser = true,
                RedirectUris = new List<string>
                {
                    $"{spaClientUrl}/callback",
                    $"{spaClientUrl}/silent-renew.html",
                    "http://localhost:4200",
                    "http://localhost:4200/silent-renew.html"
                },
                PostLogoutRedirectUris = new List<string>
                {
                    $"{spaClientUrl}/unauthorized",
                    $"{spaClientUrl}",
                    "http://localhost:4200/unauthorized",
                    "http://localhost:4200"
                },
                AllowedCorsOrigins = new List<string>
                {
                    $"{spaClientUrl}",
                    "http://localhost:4200"
                },
                AllowedScopes = new List<string>
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    "profile",
                     "ApiGatewayService"                     
                },
                AlwaysIncludeUserClaimsInIdToken = true
             }
        };
    }

So here I have defined a APIGateway Resource which has the all API scopes.
My understanding is Angular Client should know only about APIGateway Resource. It should not care about how many services and when they increase. If the new API Service added, it should not again change the client settings.

Angualr Client Settings:

const openIdConfiguration: OpenIdConfiguration = {
stsServer: this.authUrl,
redirect_url: 'http://localhost:4200/callback',
client_id: 'democlient',
response_type: 'code',
scope: 'openid profile ApiGatewayService',
post_logout_redirect_uri: 'http://localhost:4200',
forbidden_route: '/forbidden',
unauthorized_route: '/unauthorized',
silent_renew: true,
silent_renew_url: 'http://localhost:4200/silent-renew.html',
history_cleanup_off: true,
auto_userinfo: true,
log_console_warning_active: true,
log_console_debug_active: true,
max_id_token_iat_offset_allowed_in_seconds: 10,

Please check the scope. Here i have mentioned only ApiGatewayService. This Resource has all API Scopes which i mentined identity Server.(as my understanding is client needs to send only APIGateWayService. )

I have used oidecSecurity Service for login. I got the token but it contains only the scope of APIGatewayService , openid, profile.

And with this token i am not able access the my product controller via Ocelot.

Did i miss any thing?

My authentication function which is called in Configureservices of startup.cs(Ocelot , Product) is

public static void AddAuthenticationToken(this IServiceCollection services, string scope)
{
var builder = services.AddAuthentication(options => options.DefaultScheme = Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerDefaults.AuthenticationScheme);

        builder.AddJwtBearer(options => SetJwtBearerOptions(options, scope));

        services.AddAuthorization(options =>
        {
            if (scope == "Product")
            {
                options.AddPolicy("read",
                    policy => policy.RequireClaim("scope", "Product.read"));
                options.AddPolicy("write",
                    policy => policy.RequireClaim("scope", "Product.write"));
            }
            else
            if (scope == "User")
            {
               
            }
        });
    }

    private static void SetJwtBearerOptions(JwtBearerOptions options, string scope)
    {
        options.Authority = ConfigSettings.AppSettings["Authority"].ToString();
        options.Audience = scope;
        options.RequireHttpsMetadata = false; // Note: Set to true in production
    }

Did i miss some thing?
My intention is Client should not have a need to send all api scopes, he should send only APIGatewayService

Thanks in Advance
Swetha Chakrapwar

[swetha-adb]

Can any one tell the solution

[raman-m]

🙏 and the community will help you!

[knight1219]

Wouldn't your 2 API servers need "APIGatewayService" as a scope for this configuration to work?

[raman-m]

@swetha-adb
Welcome to Ocelot world! 🐅

Please, continue your coding research and design a solution here, in this discussion.