0

We're trying to integrate the prometheus scrape endpoint with an existing ASP.NET Core site which hosts a Web API.

Here's how the middleware is configured (showing only the important part):

app.UseAuthentication();
app.UseAuthorization();
 
app.UseOpenTelemetryPrometheusScrapingEndpoint( 
       predicate: ctx => ctx.User.Identity.IsAuthenticated);

app.MapControllers();

app.Run();

Internally, UseOpenTelemtryPrometheusScrappingEndpoint ends up calling the MapWhen which uses the predicate to decide if the custom branch that returns the metrics should be following.

In this case, the web site is protected with bearer token generated by Azure AD. Prometheus has been configured to use OAuth2 and I can see that when it tries to access the metrics endpoint, it's able to get a valid access token which is mapped into a valid user (there's a transform call on the web site which maps the client id+secret into a special user).

Unfortunately, and even thought there's a "valid" user, the ctx.User property in the predicate is always "empty" (ex.: IsAuthenticated returns false always). I'm surely missing something, but what?

Thanks

Improve this question

1 Answer 1

Reset to default
1

At the end of the day, it ended up being a sum of several things. For starters, the token was being generated through OAuth2 client credentials flow (client id + secret).

When using this flow, the token does not contain scopes or tokens and authorization can be controlled through access control lists. Since we didn't have the "AllowWebApiToBeAuthorizedByACL": true entry on the azure ad settings, the the token was considered invalid.

After adding the entry to the settings, the library was able to validate the token against the ACL a it wasn't considered invalid anymore.

This was only an issue because a few days ago, the server side authentication/authorization code was updated to use AddMicrosoftIdentityWebApi instead of the AddJwtBearer and this is when this feature (ACL use when having no tokens/roles) was enforced (previously, the token was considered valid when using the jwt bearer authentication/authorization library).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.