Enabling downstream api calls before login (and other related issues)

[Justincale]

Hi guys,

I am integrating an existing system into oqtane as a set of modules. The whole things consists of:

1. The API (.net core web app): Accepts jwt tokens for authorization.
2. Duende Identity Server: Used for authentication of users (login, register etc.) I have, somewhat, successfully implemented this using the Oqtane framework via oidc.
3. The client (oqtane). Modules in Oqtane call the API.

What i am struggling with:

1. The way the oidc and token framework has been implemented in Oqtane means i only get a _siteState.AuthorizationToken if a user has logged in. This is an issue for my implementation, as the API has endpoints which only need information regarding the client and can be called without an authenticated user. Previously, i generate a token by making a client_credentials call to the identity server which would then be passed to the API.

2. (SLOVED'ish) I am sure this has more to do with my lack of knowledge, but outside of Oqtane access tokens get passed directly to the API as a jwt. Using the oqtane framework the access token gets passed as a claim inside of the jwt (claim type = "access_token"). I kind of understand that from Oqtane's point of view this access token is meant for the api and shouldn't be read by the client, but i am really stuggling to figure out how i decode this in the API? It just comes in as a claim type whose value is an encoded jwt. Shouldn't the claims inside of this jwt be part of my ClaimsPrinciple on the API end? As i say, i think this is due to my poor knowledge of these things, but any help here would be greatly appreciated as it's driving me nuts.

The above point 2 was solved by reading the access_token claim on the client side from "_accessor.HttpContext.User.Claims", and setting that as the bearer token of a httpClient. Although this works, i'm still uncertain as to why Oqtane RemoteServiceBase isn't already doing this?

I'm wondering if RemoteServiceBase could be updated to:

1. Allow clientcredentials to be retrieved from the identityserver if a user isn't logged in.
2. Read the access_token from the User.Claims (as above) and set that as the bearer token

[sbwalker]

@Justincale my apologies for the late reply to this thread. The current implementation of auth was designed to cater to a number of different use cases:

1. Ability for a user to authenticate locally using self-hosted .NET Identity which generates a cookie including their local role assignments.
2. Ability to for a user to authenticate using a 3rd party Identity Provider (ie. OAuth2 or OIDC). Once a user is authenticated they are mapped to a local user in the Oqtane application which is used to generate a cookie including their local role assignments.
3. Ability for an authenticated user to generate a JwT token based on their cookie which can be passed to a remote API (ie. using RemoteServiceBase)

It sounds like what you want is the ability for Oqtane to act as a proxy and pass the access token from the Identity Provider to a remote API. This scenario was never implemented which is why you are struggling to get it to work.

[Justincale]

I am closing this and starting a new thread as i have other issues related to the oidc implementation within Oqtane.