How to properly implement Auth0 for permissions/scopes?

[Timur-Lenk]

I'm currently working on a .NET Core project where I'm using Ocelot as an API Gateway and I want to use Auth0 for handling permissions and scopes. I have already set up Ocelot in ASP.Net Core and Auth0 in my frontend project, and I have defined the necessary routes and scopes as well. In my Auth0 account I have some users along with roles and scopes setup.

I send a request to the backend while logged in and passing the accesstoken as a Bearer header. Although the network-tab gives a 401 unauthorized, not sure if I'm missing anything since I'm pretty new to ocelot/auth0 and the docs weren't too clear to me.

I have a user in Auth0 which has a role assigned to it with the read:posts scope active.

Here is the current version of my ocelot.json file:

{
  "Routes": [
    {
      "UpstreamPathTemplate": "/api/posts",
      "UpstreamHttpMethod": [ "Get" ],
      "DownstreamHostAndPorts": [ { "Host": "post-service", "Port": 8081 } ],
      "DownstreamPathTemplate": "/api/posts",
      "AuthenticationOptions": {
        "AuthenticationProviderKey": "Bearer",
        "AllowedScopes": ["read:posts"]
      }
    },
    {
      "UpstreamPathTemplate": "/api/posts/{id}",
      "UpstreamHttpMethod": [ "Get" ],
      "DownstreamHostAndPorts": [ { "Host": "post-service", "Port": 8081 } ],
      "DownstreamPathTemplate": "/api/posts/{id}"
    }
  ]
}

And here is how I have configured Auth0 in my appsettings.json file:

{
  "Auth0": {
    "Domain": "dev-[DOMAIN].us.auth0.com",
    "Audience": "https://[HOST].com/api"
  }
}

Parts of my Program.cs

builder.Configuration.SetBasePath(builder.Environment.ContentRootPath)
    .AddJsonFile("ocelot.json", optional: false, reloadOnChange: true)
    .AddEnvironmentVariables();

// Configure Authentication
builder.Services.AddAuthentication(sharedOptions =>
    {
        sharedOptions.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        sharedOptions.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    })
    .AddJwtBearer(options =>
    {
        options.Authority = $"https://{builder.Configuration["Auth0:Domain"]}/";
        options.Audience = builder.Configuration["Auth0:Audience"];
        options.TokenValidationParameters = new TokenValidationParameters
        {
            NameClaimType = ClaimTypes.NameIdentifier
        };
    });

builder.Services.AddOcelot(builder.Configuration);


app.UseOcelot().Wait();

Any help or guidance would be greatly appreciated.

[raman-m]

Hi Timur!
Welcome to Ocelot world! 🐯

So, I see that your Auth0 lib and its provider supports JWT tokens, right? Good!

---

.AddJwtBearer(options => {...}

JWT setup looks good!

I'm worrying only about NameClaimType = ClaimTypes.NameIdentifier... Why do you need this option?

---

      "AuthenticationOptions": {
        "AuthenticationProviderKey": "Bearer", // this is obsolete property, use AuthenticationProviderKeys !
        "AllowedScopes": ["read:posts"]
      }

According to our Authentication docs we recommend to use the AuthenticationProviderKeys property, for the long term configs.

---

Regarding ocelot.json

    { // authenticated route
      "UpstreamPathTemplate": "/api/posts",
      // ...
      "AuthenticationOptions": {
        "AuthenticationProviderKey": "Bearer",
        "AllowedScopes": ["read:posts"]
      }
    },
    { // anonymous route
      "UpstreamPathTemplate": "/api/posts/{id}",
      // ...
      // where is authentication? Why is it anonymous?
    }

Why is the 2nd route anonymous? Seems it must be authenticated also!

---

Why 2 routes?

According to our Empty Placeholders feature for Catch All placeholder you can merge both routes to one, if id placeholder is Catch All one.

     {
       "UpstreamPathTemplate": "/api/posts/{id}",
       // ...
       "AuthenticationOptions": {
         "AuthenticationProviderKeys": ["Bearer"],
         "AllowedScopes": ["read:posts"]
       }
     }

This feature is available in version 23.0+
So, you can send requests:

• /api/posts
• /api/posts/
• /api/posts/1
• /api/posts/bla-bla
• /api/posts/bla-bla/something-more
• /api/posts/bla-bla?yahoo=Ocelot-is-awesome-gateway&definitely=true

All these URLs should work having one authenticated route definition above! ☝️

---

I send a request to the backend while logged in and passing the access token as a Bearer header.

Well... It can be the root cause of the problem... What's the header name? Bearer? That's wrong!
Pay attention, you must send Authorization header for successful authentication by Bearer provider!
Examples here

• HeaderNames.Authorization
• DefaultRequestHeaders.Authorization

---

Recommendations

Although the network-tab gives a 401 unauthorized, not sure if I'm missing anything since I'm pretty new to ocelot/auth0 and the docs weren't too clear to me.

• Use Authorization header! Because this is default auth header for JwtBearerDefaults.AuthenticationScheme, I hope so.
• Define one authenticated route as I suggested above!

Hope it helps!

[Timur-Lenk]

I followed this tutorial, telling you to implement two classes for the scopes, after which it says one can use [Authorize("read:messages")] to protect endpoints with these scopes.

Should this implementation work for Ocelot instead of regular controller endpoints, with the above mentioned scope setup:

"AuthenticationOptions": {
  "AuthenticationProviderKeys": "Bearer",
  "AllowedScopes": ["read:posts"]
}

[raman-m]

"AuthenticationOptions": {
  "AuthenticationProviderKeys": [ "Bearer" ], // Array !!!
  "AllowedScopes": ["read:posts"]
}

[Timur-Lenk]

My bad didn't notice. After changing some stuff it now returns this error when trying to access an endpoint without the correct scope:

2024-04-24 18:48:32       requestId: 0HN34FPFHI8OB:00000001, previousRequestId: No PreviousRequestId, message: 'Client has been authenticated for path '/api/posts/5' by 'AuthenticationTypes.Federation' scheme.'
2024-04-24 18:48:32 info: Ocelot.Authorization.Middleware.AuthorizationMiddleware[0]
2024-04-24 18:48:32       requestId: 0HN34FPFHI8OB:00000001, previousRequestId: No PreviousRequestId, message: 'route is authenticated scopes must be checked'
2024-04-24 18:48:32 warn: Ocelot.Authorization.Middleware.AuthorizationMiddleware[0]
2024-04-24 18:48:32       requestId: 0HN34FPFHI8OB:00000001, previousRequestId: No PreviousRequestId, message: 'error authorizing user scopes'
2024-04-24 18:48:32 warn: Ocelot.Responder.Middleware.ResponderMiddleware[0]
2024-04-24 18:48:32       requestId: 0HN34FPFHI8OB:00000001, previousRequestId: No PreviousRequestId, message: 'Error Code: ScopeNotAuthorizedError Message: no one user scope: 'openid profile email' match with some allowed scope: 'read:posts' errors found in ResponderMiddleware. Setting error response for request path:/api/posts/5, request method: GET'

Now it mentions the scopes of openid profile email, but the scope I mention in my ocelot file: "AllowedScopes": ["read:posts"], is being sent in the permissions property of the access-token.

Is there a way to change the middleware to check permissions instead of scope?

Access-token content by jwt.io:

{
  "iss": "https://d...",
  "sub": "goo...",
  "aud": [
    "https://da.....,
    "https://dev-2...
  ],
  "iat": 1...,
  "exp": 1...,
  "scope": "openid profile email",
  "azp": "41...",
  "permissions": [
    "read:posts"
  ]
}

[raman-m]

Override the Authorization Middleware and develop as you wish!

The quote:

As you may know from the Middleware Injection section, the Authorization middleware can be overridden like this:

You can parse your token, convert it, and authorize based on the token's scheme.

P.S.

Ocelot middleware is not designed to interpret all types of tokens from various Auth products. It is limited to reading scopes and claims. If your token contains different elements, you will need to handle the request processing independently. There is no alternative.

[raman-m]

I'm very sorry, I'm tired of this discussion....