Using eShopOnContainers .NET microservices architecture - Use AD B2C instead of IdentityServer4 for microservice authentication

Question

I have downloaded eShopOnContainers that is a .NET Microservices Sample Reference Application for microservices architecture and Docker containers.

https://github.com/dotnet-architecture/eShopOnContainers

https://docs.microsoft.com/en-us/dotnet/architecture/cloud-native/introduce-eshoponcontainers-reference-app

I think it is really good but I would like to decommission Identity.API that uses IdentityServer4 and probably will use Duende IdentityServer later. At the moment we use Azure AD B2C and I would like to continue with that. For the moment it means there is no need for local token generation.

Looking at Ordering.API - Startup.cs it uses the following for authentication:

public static IServiceCollection AddCustomAuthentication(this IServiceCollection services, IConfiguration configuration)
{
    // prevent from mapping "sub" claim to nameidentifier.
    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("sub");

    var identityUrl = configuration.GetValue<string>("IdentityUrl");

    services.AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = AspNetCore.Authentication.JwtBearer.JwtBearerDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = AspNetCore.Authentication.JwtBearer.JwtBearerDefaults.AuthenticationScheme;

    }).AddJwtBearer(options =>
    {
        options.Authority = identityUrl;
        options.RequireHttpsMetadata = false;
        options.Audience = "orders";
    });

    return services;
}

In AD B2C I have an application with two different scopes and I have been able to get an access token with these two scopes. However using the code above with the access token I simply get a HTTP 401 Unauthorized when used against a new ASP.NET Core Web API. I have also tried to set options.MetadataAddress and options.Audience only but no luck using the guides below, same result with HTTP 401 Unauthorized.

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-6.0#use-multiple-authentication-schemes

https://dzimchuk.net/setting-up-your-asp-net-core-2-0-apps-and-services-for-azure-ad-b2c/

Token:

I can get it to work using default Microsoft identity platform authentication but I would not like to add the client secret to every microservice.

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));

I know that Ocelot was used as API Gateways before but got changed to Envoy due to built-in support for the WebSocket protocol, required by the new gRPC inter-service communications implemented in eShopOnContainers. Is there anything I need to change there once I get the token to work?

https://docs.microsoft.com/en-us/dotnet/architecture/microservices/multi-container-microservice-net-applications/implement-api-gateways-with-ocelot

Answer 1

In the end it turned out to be a very simple mistake. Creating the ASP.NET Core Web API project I choose Authentication type: None. In Progam.cs only app.UseAuthorization(); was added and not app.UseAuthentication();. When I added this I got it working with these settings:

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerDefaults.AuthenticationScheme;

}).AddJwtBearer(options =>
{
    options.MetadataAddress = $"<iss URL>.well-known/openid-configuration?p=<tfp>";
    options.Audience = "<aud GUID>";
});

No need to change anything anything in Envoy ApiGateway that I can see.

If you receive a 401 Unauthorized then look at WWW-Authenticate response header for further troubleshooting.