OpenIddict remote authorization policy
Serhii Palamarchuk
Posted on September 26, 2023
Hi to everyone!
I need your help!
I'm trying to implement next scenario using .net 7, I have:
1) authorization server (using OpenIdDict) named "AuthAPI" with authorization policy ("MainPolicy"):
builder.Services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme, CookieAuthenticationDefaults.AuthenticationScheme)
.RequireAuthenticatedUser()
.AddRequirements(new PermissionRequirement("default test!!"))
.Build()
;
options.AddPolicy("MainPolicy", policy =>
{
policy.AuthenticationSchemes.Add(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme);
policy.AuthenticationSchemes.Add(CookieAuthenticationDefaults.AuthenticationScheme);
policy.RequireAuthenticatedUser();
policy.Requirements.Add(new PermissionRequirement("MainPolicy test!!"));
});
//options.AddPolicy("MainPolicy2", policy =>
//{
// policy.RequireAuthenticatedUser();
// policy.Requirements.Add(new PermissionRequirement("MainPolicy2 test!!"));
//});
})
;
2) resorce API named "SingleClientAPI" which is configured to use "AuthAPI" as authorization server:
// Register the OpenIddict validation components.
builder.Services.AddOpenIddict()
.AddValidation(options =>
{
// Note: the validation handler uses OpenID Connect discovery
// to retrieve the address of the introspection endpoint.
options.SetIssuer(authUrl);
options.AddAudiences("SingleClientAPI");
// Configure the validation handler to use introspection and register the client
// credentials used when communicating with the remote introspection endpoint.
options.UseIntrospection()
.SetClientId("SingleClientAPI")
.SetClientSecret("430695D4-4F20-4F2E-A478-BB5DF6A7C543");
// Register the System.Net.Http integration.
options.UseSystemNetHttp();
// Register the ASP.NET Core host.
options.UseAspNetCore();
});
builder.Services.AddAuthentication(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme);
builder.Services.AddAuthorization();
and "SingleClientAPI" has a controller with action "GetWeatherForecast" and authorization policy "MainPolicy" (supposed to be used from "AuthAPI"):
[HttpGet(Name = "GetWeatherForecast")]
[Authorize(Policy = "MainPolicy", AuthenticationSchemes = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme)]
public IEnumerable<WeatherForecast> Get()
{
return Enumerable.Range(1, 5).Select(index => new WeatherForecast
{
Date = DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
TemperatureC = Random.Shared.Next(-20, 55),
Summary = Summaries[Random.Shared.Next(Summaries.Length)]
})
.ToArray();
}
but when I call "GetWeatherForecast" I get this exception:
System.InvalidOperationException: The AuthorizationPolicy named: 'MainPolicy' was not found.
at Microsoft.AspNetCore.Authorization.AuthorizationPolicy.CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable`1 authorizeData, IEnumerable`1 policies)
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)
How to make it work and use 'MainPolicy' of "AuthAPI" in resorce api "SingleClientAPI" authorization attribute?
P.S. "AuthAPI" server and the "SingleClientAPI" resource API CAN NOT share the same authorization policies because they are different applications and they are deployed separately.
Thank you in advance!
💖 💪 🙅 🚩
Serhii Palamarchuk
Posted on September 26, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
