Use Ocelot / Identity Server4 JwtBearerEvents.OnAuthenticationFailed addHeaders not work

[lei-9]

        builder.AddIdentityServerAuthentication(authenticationScheme, GetIdentityServerAuthenticationOptions(configuration, allowedScopes));

... 

 options.JwtBearerEvents = new JwtBearerEvents
            {
         
                OnAuthenticationFailed = authenticationFailedContext =>
                {
                    var token = authenticationFailedContext.Request.Headers["Authorization"]
                        .ToString()
                        .Replace("Bearer ", "")
                        .Trim();
                    
                    if (!string.IsNullOrEmpty(token))
                    {
                        var jwtToken = new JwtSecurityTokenHandler().ReadJwtToken(token);
                 
                        if (jwtToken.Issuer != identityServerTokenConfig.IdentityServerUrl)
                        {
                            authenticationFailedContext.Response.Headers.Add("Token-Error-Iss", "Issuer is wrong!");
                        }

                      
                        if (jwtToken.Audiences.FirstOrDefault() != identityServerTokenConfig.ApiName)
                        {
                            authenticationFailedContext.Response.Headers.Add("Token-Error-Aud", "Audience is wrong!");
                        }

     
                        List<string> scopeList = allowedScopes != null!
                            ? allowedScopes
                            : jwtToken.Claims
                                .Where(s => s.Type == "scope")
                                .Select(s => s.Value)
                                .ToList();

                        if (scopeList?.Any() ?? false)
                        {
                            if (allowedScopes!.Any(scope => !scopeList.Contains(scope)))
                            {
                                authenticationFailedContext.Response.Headers.Add("Token-Error-Scope", "true");
                            }
                        }

             
                        if (authenticationFailedContext.Exception.GetType() == typeof(SecurityTokenExpiredException))
                        {
                            authenticationFailedContext.Response.Headers.Add("Token-Expired", "true");
                        }
                    }
                    else
                    {
                        authenticationFailedContext.Response.StatusCode = StatusCodes.Status401Unauthorized; //没有token则抛出401
                    }

                    return Task.CompletedTask;
                },
    
                OnChallenge = jwtBearerChallengeContext =>
                {
                    jwtBearerChallengeContext.Response.Headers.Add("Token-Error", jwtBearerChallengeContext.ErrorDescription);
                    jwtBearerChallengeContext.Response.StatusCode = StatusCodes.Status401Unauthorized; //没有token则抛出401
                    return Task.CompletedTask;
                },
    
                OnTokenValidated = tokenValidatedContext => Task.CompletedTask,
                OnForbidden = forbiddenContext => Task.CompletedTask
            };

ocelot app ：http://localhost:5500

ocelot full log

时间:2024-01-09 17:38:02.003
等级:Debug
类:Ocelot.Errors.Middleware.ExceptionHandlerMiddleware
信息:requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: 'ocelot pipelin
e started'
[17:38:02 DBG] requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: 'ocel
ot pipeline started'

时间:2024-01-09 17:38:02.009
等级:Debug
类:Ocelot.DownstreamRouteFinder.Middleware.DownstreamRouteFinderMiddleware
信息:requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: 'Upstream url p
ath is /twms/api/SysUser/LoginUserDetail'
[17:38:02 DBG] requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: 'Upst
ream url path is /twms/api/SysUser/LoginUserDetail'

时间:2024-01-09 17:38:02.017
等级:Debug
类:Ocelot.DownstreamRouteFinder.Middleware.DownstreamRouteFinderMiddleware
信息:requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: 'downstream tem
plates are /{resource}'
[17:38:02 DBG] requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: 'down
stream templates are /{resource}'

时间:2024-01-09 17:38:02.045
等级:Information
类:Ocelot.RateLimit.Middleware.ClientRateLimitMiddleware
信息:requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: 'EndpointRateLi
miting is not enabled for /{resource}'
[17:38:02 INF] requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: 'Endp
ointRateLimiting is not enabled for /{resource}'

时间:2024-01-09 17:38:02.050
等级:Information
类:Ocelot.Authentication.Middleware.AuthenticationMiddleware
信息:requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: '/twms/api/SysU
ser/LoginUserDetail is an authenticated route. AuthenticationMiddleware checking if client is authenticat
ed'
[17:38:02 INF] requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: '/twm
s/api/SysUser/LoginUserDetail is an authenticated route. AuthenticationMiddleware checking if client is a
uthenticated'

时间:2024-01-09 17:38:39.906
等级:Information
类:IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler
信息:"TWMSAuth" was not authenticated. Failure message: "IDX10223: Lifetime validation failed. The token 
is expired. ValidTo: 'System.DateTime', Current time: 'System.DateTime'."
[17:38:39 INF] TWMSAuth was not authenticated. Failure message: IDX10223: Lifetime validation failed. The
 token is expired. ValidTo: 'System.DateTime', Current time: 'System.DateTime'.

时间:2024-01-09 17:38:39.910
等级:Warning
类:Ocelot.Authentication.Middleware.AuthenticationMiddleware
信息:requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: 'Client has NOT
 been authenticated for /twms/api/SysUser/LoginUserDetail and pipeline error set. Request for authenticat
ed route /twms/api/SysUser/LoginUserDetail by  was unauthenticated'
[17:38:39 WRN] requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: 'Clie
nt has NOT been authenticated for /twms/api/SysUser/LoginUserDetail and pipeline error set. Request for a
uthenticated route /twms/api/SysUser/LoginUserDetail by  was unauthenticated'

时间:2024-01-09 17:38:39.916
等级:Warning
类:Ocelot.Responder.Middleware.ResponderMiddleware
信息:requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: 'Error Code: Un
authenticatedError Message: Request for authenticated route /twms/api/SysUser/LoginUserDetail by  was una
uthenticated errors found in ResponderMiddleware. Setting error response for request path:/twms/api/SysUs
er/LoginUserDetail, request method: GET'
[17:38:39 WRN] requestId: 0HN0GUQM5DR1R:00000002, previousRequestId: No PreviousRequestId, message: 'Erro
r Code: UnauthenticatedError Message: Request for authenticated route /twms/api/SysUser/LoginUserDetail b
y  was unauthenticated errors found in ResponderMiddleware. Setting error response for request path:/twms
/api/SysUser/LoginUserDetail, request method: GET'

[raman-m]

What's the question? 😉

[17:38:39 INF] TWMSAuth was not authenticated. Failure message: IDX10223: Lifetime validation failed. The
 token is expired. ValidTo: 'System.DateTime', Current time: 'System.DateTime'.

The root cause is "The token is expired."

Leo, if you use expired tokens why do you create issues in the repo?
I recommend you to design your application without Ocelot first! After that start integration of Ocelot!!!

[raman-m]

Also, if you use .NET 8 then keep in mind #1876 !!!

[lei-9]

What's the question? 😉

[17:38:39 INF] TWMSAuth was not authenticated. Failure message: IDX10223: Lifetime validation failed. The
 token is expired. ValidTo: 'System.DateTime', Current time: 'System.DateTime'.

The root cause is "The token is expired."

Leo, if you use expired tokens why do you create issues in the repo? I recommend you to design your application without Ocelot first! After that start integration of Ocelot!!!

I know "The token is expired.".
I dog this error, and set error code to http response header.but no response

[raman-m]

You're suggesting that Ocelot should support the designs of all libraries worldwide, correct?

[lei-9]

What's the question? 😉

[17:38:39 INF] TWMSAuth was not authenticated. Failure message: IDX10223: Lifetime validation failed. The
 token is expired. ValidTo: 'System.DateTime', Current time: 'System.DateTime'.

The root cause is "The token is expired."
Leo, if you use expired tokens why do you create issues in the repo? I recommend you to design your application without Ocelot first! After that start integration of Ocelot!!!

I know "The token is expired.". I dog this error, and set error code to http response header.but no response

I can return the http response header added in OnAuthenticationFailed in my application
Integrating ocelot into OnAuthenticationFailed, I also added httpresponse header. But no return

[raman-m]

In general Ocelot doesn't support JWT event model.
So, headers must be created in another context and middlewares.
The question is "How to propagate events and event data to the right class in Ocelot?"

[lei-9]

I found out, normally it is JwtBearerEvents.OnAuthenticationFailed
You will then enter OnChallenge.
But now when using ocelot, the OnChallenge event is not entered.

[raman-m]

Ocelot middleware doesn't call ChallengeAsync !!! See the code!
We call AuthenticateAsync only!

[raman-m]

We don't call ChallengeAsync in middlewares!
But we do call AuthenticateAsync method in authentication middleware.

[lei-9]

I found out, normally it is JwtBearerEvents.OnAuthenticationFailed You will then enter OnChallenge. But now when using ocelot, the OnChallenge event is not entered.

@raman-m please help me...

[raman-m]

Sure thing!
We don't call ChallengeAsync in middlewares!
But we do call AuthenticateAsync method in authentication middleware.

[raman-m]

@lei-9 commented 3 hours ago
But now when using ocelot, the OnChallenge event is not entered.

OK. What .NET SDK do you use? .NET 8 or lower?

Again, my recommendation is 👇

Have you designed your infrastructure and services apps including identity management without Ocelot?

[lei-9]

@lei-9 commented 3 hours ago
But now when using ocelot, the OnChallenge event is not entered.

OK. What .NET SDK do you use? .NET 8 or lower?

Again, my recommendation is 👇

Have you designed your infrastructure and services apps including identity management without Ocelot?

SDK：Net 6

It is normal to use it in a service application

[raman-m]

If your downstream service correctly processes all traffic, I recommend to define anonymous route in Ocelot and forget about the problem.
I don't understand your custom complex Auth setup inside of Ocelot environment.