Retrieving user information in a proxied microservice

[PieterBoeren]

Probably due to my lack of knowledge (I’m fairly new to both Identity management and proxying), but I have trouble understanding how I can achieve functionality like this:

1. User access a website (single page application in this case), which files will flow through the proxy which in his turn, will require authentication (this works, I’m using the demo server of IdentityServer for now):

services
     .AddAuthentication(_ =>
     {
         _.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
         _.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
     })
     .AddCookie()
     .AddOpenIdConnect(options =>
     {
         options.Authority = "https://demo.identityserver.io";

         options.ClientId = "interactive.confidential";
         options.ClientSecret = "secret";
         options.ResponseType = "code";

         options.SaveTokens = true;
     });

2. Internal microservice, also mapped on the proxy (same AuthorizationPolicy as the client code)

How can I get to the information of the logged on users (name, claims etc)? Do I need custom written middleware in the proxy? Or can I just put some "existing" middleware in the microservice?

[Tratcher]

So if I understand this right, you have auth set up in destination A as shown above, and you want to share that user information with the app at destination B? There's no auth set up in the proxy?

That user information is preserved in the auth cookie which is attached to each request. All the microservice needs to do is read that cookie. The easiest way to do that is to add cookie auth to the microservice. There are two steps:

1. The apps need to share encryption keys so they can both read the cookies. That's configured through DataProtection:
   https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-3.1

2. Add cookie auth to the microservice:

services
     .AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
         .AddCookie();

Since cookie auth set set as the default in that example, the app will automatically read the cookie on each request and set HttpContext.User.

[Tratcher]

Note if the microservice needs to reject anonymous requests then you use the standard authorization policies and/or the Authorize attribute on controllers.

[PieterBoeren]

So if I understand this right, you have auth set up in destination A as shown above, and you want to share that user information with the app at destination B? There's no auth set up in the proxy?

Sorry, this was not clear in my question. The above code with the Identity Server configuration is inside the proxy. So I have:

• The proxy with the authentication configured (and policies on all routes)
• A single-page application with no authentication at all (all files go through the proxy, including index.html, making sure I have to logon)
• A microservice which I am in doubt about

Does that change your answer?

[Tratcher]

Ah. No, the answer is still the same, but it's the proxy and the microservice that need to share keys.