Ocelot - IdentityServer Integration

Ocelot Sep 15, 2020

This article is part of Ocelot GW tutorial series which explains need of API Gateway and how to use Ocelot with ASP.net Core application as API gateway.

Before you start this tutorial, make sure you have gone through previous post.

In previous article we have gone through base setup & Rate Limiting . In this article we will discuss how to integrate Identity Management Solutions with GW . In this post we will use open source IdentityServer library. This library implements industry standards such as OIDC and Oauth.

I will refer IDM as identityServer throughout this post.

Why do we even need to integrate IDM solution with GW ?

  • Secure API and only accessible to authorized systems.
  • Consolidate Authentication and authorization logic at central location (GW) since all of my traffic to request will be passed via GW only .

Having said that , this is how our application flow looks like . Here all of my traffic to API is passed via GW and GW connect to IDM for validating each and every request .

Ocelot Identity Server Integration 

Before we start building our solution , there are few IDM concepts which you need to understand

Clients - Clients are actual application that allow your to access API resource.
Scope - More of access authorization on what all permission does a client holds.
Grant Type - Mechanism of communicating with a client (ex: Client Credentials , Implicit , Hybrid etc)

API Resource - Your actual API which you wish to protect using IDM.
API Scope - More of authorization of what you can do with API (Ex : Read, Write)
API Secret - One time secret used in your request for introspect end points .

Since we have used IdentityServer , we need to have working IDM server which you can download from github in localbox and configure client, Resource and Scopes.

Lets hope on Code wagon. Open solution from previous post and install following nuget packages .

Install-Package IdentityServer4
Install-Package IdentityServer4.AccessTokenValidation

Update Startup.cs code with following code

public void ConfigureServices(IServiceCollection services)
            var identityBuilder = services.AddAuthentication();
            identityBuilder.AddIdentityServerAuthentication("CatalogAPIKey", options =>
                options.Authority = "{IDM_SERVER_URL}";
                options.RequireHttpsMetadata = false;
                options.ApiName = "{RESOURCE_API_NAME}";
                options.ApiSecret = "{RESOIRCE_API_Secret}";
                options.SupportedTokens = SupportedTokens.Jwt;


Add authentication property on Catalog end point in config file.

      "DownstreamPathTemplate": "/api/catalog",
      "DownstreamScheme": "https",
      "DownstreamHostAndPorts": [
          "Host": "localhost",
          "Port": 44343
      "UpstreamPathTemplate": "/catalog",
      "UpstreamHttpMethod": [ "GET" ],
      "AuthenticationOptions": {
        "AuthenticationProviderKey": "CatalogAPIKey",
        "AllowedScopes": []

Lets run this solution and understand what's happening behind the scene .

  • Customer EndPoint - HTTP 200 OK
  • Run Catalog End point - HTTP 401 , Unauthorized - Reason we are getting this error is because we have asked Ocelot library to check if this request contains authorized header and validate against IDM , Since we are just simply calling it without any token its giving us unauthorized error .
  • Run Catalog End point with bearer token , HTTP 200 .Reason why this request work was because token which we passed has right credentials(client and API both have same scopes) to access our API resource .

With this we can conclude that Integration of GW with IDM is pretty straight forward . You can configure multiple API resource authorization on Startup class(via Iterator)  .

Download Working code from  https://github.com/DMehro/OcelotAPIGW