Receiving 401 depending on the order of my API Route, when calling API's through Ocelot API Gateway

[JordanOakTyres]

Problem:
I am trying to use one of my API's from my Ocelot API Gateway, but each time I try to run the API through the Gateway I receive a 401 error code. The Ocelot route for the API is configured without the AuthenticationOptions object, as I don't want this API to be validated by a JWT Bearer token, like my other API's.

Additional Information relating to the issue, I have 5 API's in my Ocelot.json file (Please see below), 4 of which don't have the AuthenticationOptions object, but when I try to test my SignUP API. I receive a 401 error code. When I try again but this time switch places with the UserLogin API, so the route order then goes SignUp and the UserLogin.

The SignUp API now works (200 status code) and the UserLogin (worked previously) now results in the 401 error code.

My ocelot.json file:

{
  "Routes": [
    {
      //ForgotPassword Controller
      "UpstreamPathTemplate": "/api/Test/SendResetPasswordEmail",
      "UpstreamHttpMethod": [ "Post" ],
      "DownstreamHostAndPorts": [
        {
          "Host": "**My_Host**",
          "Port": 443
        }
      ],
      "DownstreamScheme": "https",
      "DownstreamPathTemplate": "/api/Test/SendResetPasswordEmail"
    },
    {
      "UpstreamPathTemplate": "/api/Test/Oak8Login",
      "UpstreamHttpMethod": [ "Post" ],
      "DownstreamHostAndPorts": [
        {
          "Host": "**My_Host**",
          "Port": 443
        }
      ],
      "DownstreamScheme": "https",
      "DownstreamPathTemplate": "/api/Test/Oak8Login"
    },
    {
      "UpstreamPathTemplate": "/api/Test/UserLogin",
      "UpstreamHttpMethod": [ "Post" ],
      "DownstreamHostAndPorts": [
        {
          "Host": "**My_Host**",
          "Port": 443
        }
      ],
      "DownstreamScheme": "https",
      "DownstreamPathTemplate": "/api/Test/UserLogin"
    },
    {
      //SignUp Controller
      "UpstreamPathTemplate": "/api/Test/SignUp",
      "UpstreamHttpMethod": [ "Post" ],
      "DownstreamHostAndPorts": [
        {
          "Host": "**My_Host**",
          "Port": 443
        }
      ],
      "DownstreamScheme": "https",
      "DownstreamPathTemplate": "/api/Test/SignUp"
    },
    {
      //Login Controller
      "UpstreamPathTemplate": "/api/Test/UserLogout",
      "UpstreamHttpMethod": [ "Post" ],
      "DownstreamHostAndPorts": [
        {
          "Host": "**My_Host**",
          "Port": 443
        }
      ],
      "DownstreamScheme": "https",
      "DownstreamPathTemplate": "/api/Test/UserLogout",
      "AuthenticationOptions": {
        "AuthenticationProviderKeys": [ "MyKey" ],
        "AllowedScopes": []
      }
    }
  ],
  "GlobalConfiguration": {
    "BaseUrl": "**My_URL**"
  }
}

My program.cs file:

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using Ocelot.DependencyInjection;
using Ocelot.Middleware;
using System.Diagnostics;
using System.Text;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.

builder.Services.AddControllers();
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();

var authenticationProviderKey = "MyKey";
var configurationBuilder = new ConfigurationBuilder();

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(authenticationProviderKey, options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = "**My_Issuer**",
            ValidAudience = "**My_Audience**",
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("**My_Secret_Key**"))
        };
    });

configurationBuilder.AddJsonFile("ocelot.json", optional: false, reloadOnChange: true);

var configuration = configurationBuilder.Build();
builder.Services.AddOcelot(configuration);

var app = builder.Build();

// Configure the HTTP request pipeline.
app.UseSwagger();
app.UseSwaggerUI();

app.UseHttpsRedirection();

app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();

app.UseOcelot().Wait();

app.Run();

Expected behaviour:
I would expect the 4 API's without the AuthenticationOptions object set in the API route, to never receive a 401, while the 1 API with the AuthenticationOptions object, to fail if no token attached, or an invalid token.

Please help.

Specifications:

• Version: 23.2.2 (Nuget package)
• Platform: Visual Studio

[raman-m]

Jordan,
Here are a few suggestions:

• Avoid using https until all http downstream services are functioning correctly. Remove forced redirection, i.e., app.UseHttpsRedirection();, as it is only sensible in a production environment.
• Refrain from defining multiple routes to prevent route matching conflicts.
• Do not set up authenticated routes until you have arranged the routing for anonymous traffic.
• For redirects, focus on Follow Redirects or HttpHandlerOptions.

Finally

• Consolidate all specific path routes into a single Catch All route for unauthenticated traffic.
• Aim to establish only one authenticated route. However, based on your user scenario, defining an authenticated route may not be necessary.

I believe your JSON can be:

{
  "Routes": [
    {
      "UpstreamPathTemplate": "/api/Test/{catchAll}",
      "UpstreamHttpMethod": [ "Post" ],
      "DownstreamHostAndPorts": [
        {
          "Host": "**My_Host**", "Port": 443
        }
      ],
      "DownstreamScheme": "https",
      "DownstreamPathTemplate": "/api/Test/{catchAll}"
    }
  ],
  "GlobalConfiguration": {
    "BaseUrl": "**My_URL**"
  }
}

Hope it helps!