Adding Bearer Authentication

[petrhaus]

Hi,
my gateway has bearer authentication configured for some routes, from which the user_id is extracted and passed to the downstream services via an header with the same name.
What's the correct way to get rid of the user_id header parameter and replace it with the bearer token, in the swagger documentation? Should I manipulate the json in ReConfigureUpstreamSwaggerJson? Any example?

Thanks!

[Burgyn]

Hi,
thanks for your question.

I'm not pretty sure if I understand correctly. You have parameter {user_id} in Ocelot upstream path template, but this parameter doesn't exist in downstream path template (it's transformed to header)? Is that so?

And what is the problem? Documentation isn't shown? Please can you provide demo and better describe the problem.

Thanks.

[petrhaus]

Hi,
thanks for your reply, I'm trying to reformulate :-)

Api gateway has bearer authentication configured for some routes, and from the token it extracts a claim and pass it in the header to downstream api (normal behaviour for Ocelot)

{
      "UpstreamPathTemplate": "/estimates",
      "UpstreamHttpMethod": [
        "Post"
      ],
      "AuthenticationOptions": {
        "AuthenticationProviderKey": "Bearer",
        "AllowedScopes": []
      },
      "AddHeadersToRequest": {
        "user_id": "Claims[user_id] > value[0] > |"
      },
      "DownstreamPathTemplate": "/api/estimates",
      "DownstreamScheme": "https",
      "DownstreamHostAndPorts": [
        {
          "Host": "xxxxxxx",
          "Port": 443
        }
      ],
      "SwaggerKey": "estimates"
}

Since the auth is delegated to the gateway, the downstream rest api simply accepts a "user_id" header, and the generated swagger docs of the service shows it correctly.

What I need to do is to manipulate the swagger docs in the Ocelot gateway to show the bearer token in place of the user_id header. This is because the client cannot pass in anyway the user_id directly.

Thanks.

[Burgyn]

Hi,
thanks for the explanation.
If I understand correctly, the documentation will be displayed correctly, but you can't executes requests directly through SwaggerUI, right?

The quick answer is: this package offers nothing for it.
Possibilities that come to mind:

1. Don't use SwaggerUI for executing requests
   On my projects and projects where I collaborate, we use SwaggerUI only for displaying documentation. When we want testing theses endpoints, we generate Postman collection from directly swagger.json. In prereqests scripts we have authentification handling, which add authentification header to request.

2. Use ReConfigureUpstreamSwaggerJson
   As you wrote, you can use ReConfigureUpstreamSwaggerJson and modify resulting JSON document. You can add your token as header parameter to each request. See OpenAPI spec.. You can use JObject from Newtonsoft to manipulating with tis JSON document.

In my opinion, it will not be easy and there will be many different situations to think about.

3. Use Swagger SecurityDefinition
   You can use AddSecurityDefinition when define your swagger generator in downstream service. You can follow this example. Autor use old version, so instead of ApiKeyScheme use OpenApiSecurityScheme.

o.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
{
    Description = "Standard Authorization header using the Bearer scheme. Example: \"bearer {token}\"",
    In = ParameterLocation.Header,
    Name = "Authorization",
    Type = SecuritySchemeType.ApiKey
});

Now your client can add token to Authorization UI and Gateway does his work.

Probably for your client you will be add new endpoint for obtaining token. I don't know your Authorization process.

---

I am sorry that I do not have a simple and clear solution.