Dynamic routes are unable to utilize `AuthenticationOptions` for global authentication

[yuzhu666]

{
  "Routes": [],
  "Aggregates": [],
  "GlobalConfiguration": {
    "RequestIdKey": null,
    "ServiceDiscoveryProvider": {
      "Host": "localhost",
      "Port": 8500,
      "Type": "Consul",
      "Token": null,
      "ConfigurationKey": null
    },
    "RateLimitOptions": {
      "ClientIdHeader": "ClientId",
      "QuotaExceededMessage": null,
      "RateLimitCounterPrefix": "ocelot",
      "DisableRateLimitHeaders": false,
      "HttpStatusCode": 429
    },
    "QoSOptions": {
      "ExceptionsAllowedBeforeBreaking": 0,
      "DurationOfBreak": 0,
      "TimeoutValue": 0
    },
    "BaseUrl": null,
    "LoadBalancerOptions": {
      "Type": "LeastConnection",
      "Key": null,
      "Expiry": 0
    },
    "DownstreamScheme": "http",
    "HttpHandlerOptions": {
      "AllowAutoRedirect": false,
      "UseCookieContainer": false,
      "UseTracing": false
    },
    "AuthenticationOptions": {
      "AuthenticationProviderKey": "MyKey", //指定一个key
      "AllowedScopes": [ "apiScopes" ] //id4的作用域名称
    }
  }
}

[yuzhu666]

AuthenticationOptions is ineffective for dynamic routes, but works fine for static routes.

[raman-m]

Dear Jack,
Thank you for your interest in the Ocelot project!

As per the Dynamic Route Schema, authentication options (aka AuthenticationOptions) are not supported.
In addition, the Global Configuration Schema does not include an AuthenticationOptions section.

Using authentication in dynamic routing can feel a bit awkward, but it might make sense if a downstream service requires authentication and you decide to prepare route artifacts after the pre-authentication stage on Ocelot's side. However, I believe authentication shouldn't be part of Ocelot, and it's better to have an anonymous route that forwards authentication artifacts (tokens) directly to the downstream service.

[raman-m]

AuthenticationOptions is ineffective for dynamic routes, but works fine for static routes.

Is this a statement of fact, or simply a question?

Authentication is implemented for static routes, but not for dynamic routes. In theory, dynamic routes could support authentication features.

[raman-m]

{
  "Routes": [],
  "Aggregates": [],
  "GlobalConfiguration": {
    "AuthenticationOptions": {
      "AuthenticationProviderKey": "MyKey", //指定一个key
      "AllowedScopes": [ "apiScopes" ] //id4的作用域名称
    }
  }
}

Your JSON configuration indicates a desirable feature of global authentication for static routes, which has not been implemented. Similarly, such a global auth feature is also missing in dynamic routing.

Will you be contributing to the project to achieve all these goals?

Could you describe your user scenario as well?
Why is it necessary to authenticate all routes on Ocelot's side?
Why can't authentication tokens be forwarded in anonymous routes to the downstream?

[yuzhu666]

Dear raman-m, thank you for your reply. I am currently in the learning stage and only studying authentication. If the framework is designed this way by default, that’s perfectly fine.

[raman-m]

Alright, got it! Using the Ocelot gateway during your student life could be quite amusing.

Regarding the global AuthenticationOptions configuration feature, I've decided to reopen this task as it still makes sense to implement. If the user scenario involves deploying Ocelot as a public entry endpoint (aka Ingress) for internal company services within corporate private (local) networks, a global authentication configuration remains relevant.
I’m seeking help from the community, as I’m afraid it won’t be included in version 24.1. The optimistic plan for delivery is to implement the feature in version 25.0 or later.