Why isn't Ocelot reviewing my Token claims?

[kopticx]

Hello, I am trying to add authentication to my endpoints, however it appears that ocelot is not verifying the claims because even though my token does not have the admin role it still allows me to POST.

How could I resolve this?

Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiOiJrZXZpbjJAYWEuY29tIiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZSI6ImtvcHRpY3gyIiwiZXhwIjoxNzMzMzIyMDQzfQ.H1WYrYEuH6EppNnXI2TJASDl1PeO6_943sPIf4FJl0o

[raman-m]

Hi @kopticx !

it appears that ocelot is not verifying the claims because even though my token does not have the admin role it still allows me to POST.

Are you kidding?
Have you read the docs: Authentication ?
Have you configured your Ocelot web app to process authentication including Bearer one?
Do you add AddJwtBearer call and setup? 😉

Remove "RouteClaimsRequirement" options from the route JSON and setup Authentication first.

---

it still allows me to POST.

It allowed to Post because you have not setup Authentication correctly...
If you develop catalog.api downstream service, I recommend you to move all auth logic there and keep route as anonymous one.

[kopticx]

I had already configured Bearer authentication

This works correctly for my identity Service and for the Get endpoints, but for the POST it is not reading my claim, as I told you, although my claim does not have the admin role, it still allows you to do the POST.

If it were not configured correctly, it would not work with other endpoints, would it?

So What am I supposed to do now?

[raman-m]

So What am I supposed to do now?

Learn ASP.NET Core 8 😉

• Overview of ASP.NET Core
• Overview of ASP.NET Core authentication

Seriously...
I recommend you to play with claims, tokens, roles etc. in another ASP.NET web app solution to design your prototype of authentication with current identity provider.
I have no idea how your identity provider http://localhost:80005 signs tokens!
Design and check your Auth solution without Ocelot first!
After that you can start implement the same using Ocelot environment...

If you will find real bug in Ocelot Authentication or Authorization features, let us know please.
Good luck in your researches!

[kopticx]

The problem with their library is that they continue to do the claims mapping even though it is configured in the project, I had to change the name of my roles for it to work.