Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

YARP proxy with password grant flow issue #1683

Closed
1 task done
syedemad opened this issue Feb 19, 2023 · 2 comments
Closed
1 task done

YARP proxy with password grant flow issue #1683

syedemad opened this issue Feb 19, 2023 · 2 comments
Labels
question sponsor

Comments

@syedemad
Copy link

Confirm you've already contributed to this project or that you sponsor it

  • I confirm I'm a sponsor or a contributor

Version

4.x

Question

Hi,
I am using openiddict Password grant flow in microservice architecture (although i would like to add another client for Angular using the Auth grant). I have added a proxy layer using YARP. Currently to make the address unified i had to add a new cluster for identity server like this by changing the endpoints in identity server like: .SetTokenEndpointUris("api/identity/connect/token")

`"route4": {
"ClusterId": "identity",
"Match": {
"Path": "/api/identity/{**catch-all}"
}
"identity": {
"Destinations": {
"usermanagement1": {
"Address": "http://localhost:8060/"
}
}
}
I am able to get token using the proxy url http://172.16.1.154:8090/api/identity/connect/token
The reference token issues is available via proxy introspect but not from direct introspect i.e http://localhost:8060/
My proxy code is based on Dantooine sample
Questions:

  1. Can i use multiple flows in same yarp currently its password grant
  2. The dantooine redirects the page where there is direct token endpoint
  3. Should i configure the token endpoint as a route in proxy config?
  4. The token issued from proxy is not introspectable with direct url and vice versa
    `
@kevinchalet
Copy link
Member

Hi,

The reference token issues is available via proxy introspect but not from direct introspect i.e http://localhost:8060/
The token issued from proxy is not introspectable with direct url and vice versa

This is most likely because the Host header differs depending on whether you access the server, which results in token issuers mismatches. #1610 and #1675 should put you on the right track.

Can i use multiple flows in same yarp currently its password grant

I don't see why you couldn't do that.

The dantooine redirects the page where there is direct token endpoint

I'm not sure I understand that question 😕

Should i configure the token endpoint as a route in proxy config?

If you have a catch-all route that applies to all your /api/identity endpoints, you don't need a specific route, as it will already be covered by the catch-all route.

Hope it helped.

@kevinchalet
Copy link
Member

Doing some housecleaning, but feel free to re-open if you still need help, @syedemad.

@syedemad syedemad mentioned this issue May 29, 2023
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question sponsor
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@syedemad @kevinchalet