How Ocelot validate expired JWT token and re-send HttpContext with the new header ?

[tahayazdani]

Hi, I'm currently building our api gateway using Ocelot , I have services listed below

• token service (works by itself)
• api-gateway service (ocelot)
• payment-service (works under api-gateway routing)

here is the flow

• once my application is up, I do send the first request to my token (jwt) service to generate a new token and put it into my header
• now I want to send a request to get my payment list, here I want to validate my header in api-gateway before I hit payment-service(token validation) and check if the token is expired or not , if so then go and make a call to token service to refresh the token and return back a new token, then update the header, then re-send the request to payment service.
  I've done most part of it as below, but I don't know how can I re-send my httprequest to either api-gateway or payment service , is that even possible ?
  is my approach correct ? any other better solution ?

please advise,

below is my code, let me know if you have any questions

api-gateway Startup class

services.AddAuthentication(options => {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;

            })
            .AddJwtBearer("Bearer", x =>
            {
                x.SaveToken = true;
                x.RequireHttpsMetadata = false;
                x.TokenValidationParameters = new TokenValidationParameters {
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration.GetValue<string>("SecretKey"))),
                    ValidateIssuer = true,
                    ValidIssuer = Configuration.GetValue<string>("Token:Issuer"),
                    ValidateAudience = true,
                    ValidAudience = Configuration.GetValue<string>("Token:Audience"),
                    ValidateLifetime = true,
                    ClockSkew = TimeSpan.Zero,
                    RequireExpirationTime = true,
                };
            });
            services.AddOcelot().AddCacheManager(option =>
                                    {
                                        option.WithDictionaryHandle();
                                    });

 public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            app.UseAuthorization();
            app.UseAuthentication();
            app.UseOcelot(new TokenHandlerMiddleware(Configuration)).GetAwaiter().GetResult();
            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }


-----------------------------------------------------------------------------

 public class TokenHandlerMiddleware : OcelotPipelineConfiguration
    {
        private IConfiguration _configuration { get; }
        public TokenHandlerMiddleware(IConfiguration configuration)
        {
            _configuration = configuration;
            PreAuthenticationMiddleware = async (ctx, next) =>
            {
                await ProcessRequestAsync(ctx, next);
            };
        }

        public async Task ProcessRequestAsync(DownstreamContext downstream, System.Func<Task> next)
        {
            try
            {
                IEnumerable<string> headers;
                var user = downstream.HttpContext.User.Identity.IsAuthenticated;
                downstream.DownstreamRequest.Headers.TryGetValues("Authorization", out headers);

                if (!headers.Any())
                    throw new UnauthorizedAccessException("Unauthorized");

                var url = _configuration.GetValue<string>("Token:EndPoint") + "/api/token/refreshtoken";
                var token = headers.FirstOrDefault();

                if (string.IsNullOrEmpty(token))
                    throw new UnauthorizedAccessException("Unauthorized");

                token = token.Replace("Bearer ", string.Empty);
                var tokenRequest = new RefreshTokenModel
                {
                    AccessToken = token,
                    RefreshToken = string.Empty
                };
                var jsonRequest = JsonConvert.SerializeObject(tokenRequest);
                var result = await PostAsync<ApiResponse>(url, jsonRequest);

                if (result.issuccessful && result.isrequirednewtoken)
                {
                    //set new token to header and re-send request
                    downstream.DownstreamRequest.Headers.Remove("Authorization");
                    downstream.DownstreamRequest.Headers.Add("Authorization", "Bearer " + result.tokenresponse.token);
       
                    **HERE I NEED TO MAKE A CALL WITH THE NEW HEADER**
                }
                await next.Invoke(); // I thought this line can re-make another call, but it's not working.
            }
            catch (Exception ex)
            {
                throw new UnauthorizedAccessException();
            }
        }

        public async Task<T> PostAsync<T>(string uri, string data)
        {
            var httpClient = new HttpClient();
            var response = await httpClient.PostAsync(uri, new StringContent(data, Encoding.UTF8, "application/json"));

            response.EnsureSuccessStatusCode();

            string content = await response.Content.ReadAsStringAsync();
            return await Task.Run(() => JsonConvert.DeserializeObject<T>(content));
        }
    }

[tahayazdani]

Any help ?

[RomainHautefeuille]

Ocelot should not renew the access-token, only validate/unvalidate it. The end-user application should be in charge of tracking almost expiring tokens and renew them, redirecting to the login page if needed (e.g. cookie also expired on identity server). There are js libraries that will help you with that. oidc-client-js for instance. In any case, since user interaction might be needed, and token renewal is relying on user cookies, the gateway is not the place to automate this.