0

I have a web API application developed with .Net Core 5 where I have implemented the authorization using OIDC 2, therefore using a JWT bearer token.

Now I need to put this application behind a corporate API Gateway which acts like a proxy, that requires additional authorization. The requests therefore should have two authorization tokens, one for the API Gateway and another one for the application itself.

The Gateway administrator has told me to modify my code in order to process a request like the following:

curl -X GET "https://api-gateway.some-domain.org/my-application/some-endpoint" 
     -H "accept: application/json" 
     -H "MyApp-Authorization: Bearer JGVFISOODISJ..." 
     -H "Authorization: Bearer FVJIDOSJFMDSIO..."

I have understood from the administrator response that I should modify how it is configured the authentication in my application, in the startup file maybe.

Currently I've configured in the following way:


public void ConfigureServices(IServiceCollection services)
{

    //...

    //Add ASP.NET Core Identity Services
    services.AddIdentity<IdentityUser, IdentityRole>()
            .AddEntityFrameworkStores<RPToolDBContext>()
            .AddSignInManager<SignInManager<IdentityUser>>();
    
    var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(appSettings.Secret));
    
    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(opt =>
            {
                opt.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKey = key,
                    ValidateAudience = false,
                    ValidateIssuer = false,
                    ValidateLifetime = true,
                    ClockSkew = TimeSpan.Zero
                };
            })
            .AddAzureAdBearer(options => Configuration.Bind("AzureAd", options));
    //...

}

What do I need to change in order to modify the attribute name?

Obviously, I think I need to change also the code in the front-end, which is developed in REACT using the MSAL library, in order to work with the new header...

Improve this question
2
  • If I get the question right, the gateway will required additional authentication, which would verify the header itself, If all good, then the request would be pass down to our app right ? Then why our app got to process 2 type of Jwt (since one was specific for gateway ?). Then If we have to process 2 type of Jwt at the same time somehow, What would happen if the content of their two gone completely difference ? Like one for bob and one for alice ? Commented Sep 29, 2021 at 17:14
  • Want to suggest that you update your clockskew. If there is ever an opportunity your code may use this newly created token to make a request to an API before the token is returned back to the client, there could be enough difference in server time to cause the issue time to be in the future, causing it to be invalid. Commented Mar 3, 2022 at 19:19

1 Answer 1

Reset to default
2

This pattern can be good from the viewpoints of both good security and simple code standard if it works like this:

  • Confidential access tokens in an unreadable format are issued to web and mobile clients so that no sensitive data is revealed to them

  • APIs receive JWTs containing claims and scopes then use them for authorization, including all user context needed

  • When the client calls the API, messages are routed via the gateway, which swaps confidential tokens for JWTs

INDUSTRY STANDARDS

At my company we call this The Phantom Token Pattern. It is worth seeing if you can steer things in this direction - eg forward my answer to an architect if you work with one.

Your API should not have to work with 2 types of token or non standard header values, since this will mean security libraries fail to work.

CUSTOM AUTHENTICATOR

As a last resort you can customize .Net and retrieve the token differently. Some sample code of mine shows how to customize the .Net stack, but only for learning purposes. It is best to keep your security code simple and standard.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.