This setup demonstrates how to configure ocelot gateway as a "pass-through" for incoming requests, while ensuring that only authenticated and authorized users can access the downstream APIs.
In this scenario, Ocelot will:
Accept all incoming requests (no authentication required at the gateway level).
Forward the requests to downstream services, which are protected by Keycloak using JWT tokens.
Enforce authentication and authorization on the downstream services, so only users with valid tokens can access those services.
Steps to Achieve This:
Configure Ocelot Gateway:
Ocelot will not require authentication itself but will forward the JWT token (if provided) to downstream services that are protected.
Configure Downstream APIs:
Downstream APIs should be secured, meaning they must validate JWT tokens and ensure that only authorized users can access the resources.
Example Configuration
- Configure Ocelot Gateway (ocelot.json) In your Ocelot gateway, you will set up the routes to forward the incoming requests to downstream services. You don't need to protect the gateway itself, so there is no authentication requirement at the gateway level.
{
"ReRoutes": [
{
"DownstreamPathTemplate": "/api/{everything}",
"UpstreamPathTemplate": "/gateway/{everything}",
"DownstreamHostAndPorts": [
{
"Host": "localhost",
"Port": 5001
}
],
"UpstreamHttpMethod": ["Get", "Post", "Put", "Delete"],
"AddHeadersToRequest": {
"Authorization": "RequestHeader" // Forward the Authorization header to downstream
}
}
],
"GlobalConfiguration": {
"BaseUrl": "http://localhost:5000"
}
}
AddHeadersToRequest: This setting ensures that the Authorization header (which carries the JWT token) is forwarded from the incoming request to the downstream service.
In this configuration:
- Ocelot will not perform authentication; it will simply forward the request to the downstream service.
- The downstream service will be responsible for authenticating the incoming request using JWT tokens issued by Keycloak.
Example Flow
- A client (e.g., a user) sends a request to the Ocelot gateway.
- The request might include an Authorization header containing a JWT token issued by Keycloak (for example, from a frontend app).
- Ocelot forwards the request (including the Authorization header) to the downstream service.
- The downstream service uses JWT authentication middleware to validate the token against Keycloak.
- If the token is valid and the user is authorized (e.g., they have the correct scope), the downstream service processes the request.
- If the token is missing, invalid, or the user is unauthorized, the downstream service responds with an HTTP 401 Unauthorized error.
Conclusion
This approach allows you to decouple the responsibility for authentication from the gateway, simplifying the gateway's configuration while still ensuring that only authenticated and authorized users can access the protected APIs.
Follow for the next post on how to Configure Downstream API for JWT Authentication
Top comments (0)