Enhancing Ocelot to Automatically Forward Claims from IdentityServer's Introspection Endpoint to Backend Services

[niyozbekmirzayev]

We expect Ocelot to forward the claims obtained from IdentityServer4's introspection endpoint to the backend services, enabling efficient authentication and authorization within our microservice architecture.

Currently, Ocelot does not forward the claims retrieved from the introspection endpoint to the backend services. This leads to inefficiencies, as each microservice must independently query IdentityServer4 for claims, resulting in unnecessary round trips.

To optimize our authentication and authorization process, we aim to enhance Ocelot's functionality. Specifically, we seek a feature that automatically passes the obtained claims from the introspection endpoint to the backend services, reducing reliance on IdentityServer and minimizing round trips.

Configure Ocelot as the API Gateway in a microservice architecture.
Integrate IdentityServer4 for authentication and authorization.
Ensure each microservice sends requests to IdentityServer4's introspection endpoint to retrieve claims.
Observe that Ocelot does not forward the obtained claims to the backend services.

Version: Ocelot 18.0
Platform: .NET 6
Subsystem: Authentication and Authorization

[raman-m]

Niyozbek,
Welcome to Ocelot world! 🐯

---

We expect Ocelot to forward the claims obtained from IdentityServer4's introspection endpoint to the backend services, enabling efficient authentication and authorization within our microservice architecture.

To forward the claims means to forward auth token. Just define anonymous route to forward your token down to the service. Authorization will occur on the side of the downstream service.

---

Currently, Ocelot does not forward the claims retrieved from the introspection endpoint to the backend services. This leads to inefficiencies, as each microservice must independently query IdentityServer4 for claims, resulting in unnecessary round trips.

resulting in unnecessary round trips.

Hmm... What's the problem with that?
You only have to create the token once before sending a request to gateway! Attach it to request, make request to upstream and anonymous route will forward it to the service which require authorization.

---

To optimize our authentication and authorization process, we aim to enhance Ocelot's functionality.

Great! Sure thing you can do that!

---

Specifically, we seek a feature that automatically passes the obtained claims from the introspection endpoint to the backend services, reducing reliance on IdentityServer and minimizing round trips.

But I've explained you above how. Make token once, and reuse it for all Ocelot's routes. But they should be anonymous! So, authorization will take place on microservice's side.
There will be no "round trips"! 😉

---

Configure Ocelot as the API Gateway in a microservice architecture.
Integrate IdentityServer4 for authentication and authorization.
Ensure each microservice sends requests to IdentityServer4's introspection endpoint to retrieve claims.
Observe that Ocelot does not forward the obtained claims to the backend services.

Awesome Steps to Reproduce! 🤣
If you want to check claims on Ocelot's side and want to have some claims transformations then you have to develop custom Authentication middleware and attach it to the pipeline using Middleware Injection
Probably your user's scenario requires to override AuthorizationMiddleware too.

Hope it helps!

Version: Ocelot 18.0
Platform: .NET 6
Subsystem: Authentication and Authorization

Why do you use outdated version?
Please upgrade to version 23.1+!