Authentication and authorization as a central MicroService ASP.NET

Question

I am planning to change the ASP.NET Web API 2.0 which includes Authentication and Authorization and all the services into Microservices architecture.

My Question if I create a central microservice to handle authentication and authorization. How do I authorize the users sending the request with their tokens to other services?

To elaborate the question:

Let'say I have three microservices. 1 ) ASP NET framework handling authentication and authorization, Which will authenticate a user and sends a token. 2 ) Orders service, Which will receive the requests with the token in their headers. (ASP NET core) 3 ) Accounting service, which will receive the requests with the token in their headers. (ASP NET core)

How do we authorize the users when they call service 2 or 3? And Is this an ideal approach?

Answer 1

Instead of authenticating external requests at each microservice (you may want to do that for internal microservice communications), I would install a gateway (for example Ocelot which can handle the external "upstream" authentication for you using whatever system you're using, for example for Jwt bearer:

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication()
        .AddJwtBearer("TestScheme", x => ...
}

Then in Ocelot you can decide which routes require this scheme as follows

"Routes": [{
        "DownstreamHostAndPorts": [...],
        "DownstreamPathTemplate": "/",
        "UpstreamPathTemplate": "/",
        "AuthenticationOptions": {
            "AuthenticationProviderKey": "TestScheme", //<--here decide to use this scheme
            "AllowedScopes": []
        }
    }]

If Authentication is successful you can use Ocelot's method of "claims to claims transformation" from your upstream to downstream this method - I personally wanted customise this and build a new Jwt token for internal authentication so used my own downstream handler, like this:

services
   .AddHttpClient<IMyService, MyService>(client => ...)
   .AddHttpMessageHandler<MyJwtDownstreamHandler>();

//then in the MyJwtDownstreamHandler
request.Headers.Authorization = new AuthenticationHeaderValue(
   "bearer",
   TokenGenerator.Generate( //<--generate your own Symmetric token using your own method
       identity: myIdentity, //<--claims for downstream here
   )
);

Answer 2

Based on comments Above

External Identity provider

You may need to use external identity provider e.g. identiyserver4 , azure ad or auth0 etc. Since the token may be generated is JWT token you will have to validate the token.

Validate Token

You need to validate the token in the .Net core Middle ware. Every token issued has a payload and your app middleware will verify every incoming token and reject if it's not able to validate. Your middle ware will fill the claims principle which can be used in your application to validate the authorization as well e.g. roles (if user has authorization to access particular api). You would put "authorize" attribute on top of controller and it will do the job.

You can validate the token manually or some identity provider gives automatic validation e.g. Azure Ad will validate the token and fill the claims principle without doing much effort by simply adding Azure ad nuget package.

There are heaps of example if you simply google. Tokens can be confusing so i would suggest you understand tokens e.g. id_token , access_token , refresh token . Authentication flows and claims. It would become easier if you understand the token types and flows. I am attaching very simple example just to give you idea.

Example