ContextQMD
Back to Ocelot

Authorization

docs/features/authorization.rst

24.1.02.5 KB
Original Source

Authorization

Ocelot supports claims based authorization which is run post authentication. This means if you have a route you want to authorize, you can add the following to your route configuration:

.. code-block:: json

"RouteClaimsRequirement": { "UserType": "registered" }

In this example, when the :ref:authorization-middleware is called, Ocelot will check to see if the user has the claim type UserType and if the value of that claim is "registered". If it isn't then the user will not be authorized and the response will be 403 Forbidden <https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403>_.

.. _authorization-middleware:

Authorization Middleware

The AuthorizationMiddleware <https://github.com/search?q=repo%3AThreeMammals%2FOcelot+AuthorizationMiddleware+language%3AC%23&type=code&l=C%23>_ is built-in into Ocelot pipeline.

| Previous private: ClaimsToClaimsMiddleware | Previous public: PreAuthorizationMiddleware | This: AuthorizationMiddleware | Next private: ClaimsToHeadersMiddleware | Next public: PreQueryStringBuilderMiddleware

.. role:: htm(raw) :format: html

So, the closest middlewares are in order of calling:

ClaimsToClaimsMiddleware :htm:&rarr; PreAuthorizationMiddleware :htm:&rarr; AuthorizationMiddleware :htm:&rarr; ClaimsToHeadersMiddleware :htm:&rarr; PreQueryStringBuilderMiddleware

As you may know from the :doc:../features/middlewareinjection chapter, the Authorization middleware can be overridden like this:

.. code-block:: csharp

var app = builder.Build();
await app.UseOcelot(new OcelotPipelineConfiguration
{
    AuthorizationMiddleware = async (context, next) =>
    {
        await next.Invoke();
    }
});
await app.RunAsync();

Note! Do this in very rare cases, because overriding the Authorization middleware means you will lose claims and scopes authorizer through the RouteClaimsRequirement property of the route. Another option is preparing before the actual authorization in PreAuthorizationMiddleware, which is public and open to overriding.

.. code-block:: csharp

await app.UseOcelot(new OcelotPipelineConfiguration
{
    PreAuthorizationMiddleware = async (context, next) =>
    {
        // Do whatever you want here
        await next.Invoke(); // next is AuthorizationMiddleware
    }
});