Authorization header propagation in ASP.NET Core APIs
Authentication is a key aspect in enterprise-level Web API applications. In addition to authentication, it is also necessary to ensure that everyone has authorized access to the correct part of the API. HTTP protocol is widely used in client-API communications. In HTTP, the authorization header is mostly used to handle authentication and authorization issues. For example, JSON Web Token (JWT) is commonly used in token-based authentication mechanisms. The token is written in the Authorization header like this:
Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cThe number of services in microservice architectures is much higher than in monolithic structures. Most of these microservices require authentication and authorization structures. After the client receives a valid token from the authority, it starts to use this token in the header of the requests that are sent to the API. In addition to client-API communication, services can make HTTP calls with each other. A request sent by the client to a microservice can call another microservice in itself.
Therefore, there must be a valid token in the Authorization header when communicating from API to API. This article describes how to propagate the authorization header provided by the client from one service to another in ASP.NET Core.
Authorization Header Propagation
In our projects, we use header propagation to propagate the Authorization header. Our clients get a JWT from the authority and use the token in the header for all their requests. JWT contains authorization information such as roles. Therefore, all APIs have the ability to check authentication and authorization.
Our Startup.cs file is like that:
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddHeaderPropagation(o =>
{
o.Headers.Add("Authorization");
});
services.AddHttpClient<MyClient>().AddHeaderPropagation();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseRouting(); app.UseHeaderPropagation(); app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
Let’s look at the details of the library…
Header Propagation Middleware
Microsoft.AspNetCore.HeaderPropagation library provides a middleware that propagates HTTP headers from the incoming request to the outgoing request.
Library
The library Microsoft.AspNetCore.HeaderPropagation is available at NuGet:
Usage
Header propagation is configured in ConfigureServices in Startup.cs with four different ways:
services.AddHeaderPropagation(o =>
{
// propagate the header with same name if exist
o.Headers.Add("Accept-Language"); // Propagate header with different name if exist
o.Headers.Add("Accept-Language", "Lang"); // Propagate header with same name and a default value
o.Headers.Add("Accept-Language", context => "en"); // Propagate header with different name and a default value
o.Headers.Add("Accept-Language", "Lang", context => "en");
});
To register header propagation middleware in Configure in Startup.cs:
app.UseHeaderPropagation();To associate header propagation defined in ConfigureServices method with an HttpClient:
services.AddHttpClient<MyClient>().AddHeaderPropagation();In addition, HeaderPropagation can be added for only specific headers:
services.AddHttpClient<MyClient>().AddHeaderPropagation(o =>
{
o.Headers.Add("Accept-Language", "Lang");
});Usage Scenarios
- Propagating authorization token (i.e. Authorization)
- User language for resources (i.e. Accept-Language)
- Distributed tracing (Monitoring chain of requests in microservice architectures, i.e. X-Correlation-ID)
- Browser information (i.e. User-Agent)
- Tenant-Id for multi-tenant applications
- Other custom information
Thanks for reading.
