all packages upgraded and tests passing

Author: TomPallister

docs/features/administration.rst

@@ -12,19 +12,22 @@ This will bring down everything needed by the admin API.
 Providing your own IdentityServer
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-
-
 All you need to do to hook into your own IdentityServer is add the following to your ConfigureServices method.
 
 .. code-block:: csharp
 
     public virtual void ConfigureServices(IServiceCollection services)
     {
-        Action<IdentityServerAuthenticationOptions> options = o => {
-                // o.Authority = ;
-                // o.ApiName = ;
-                // etc....
+        Action<JwtBearerOptions> options = o =>
+        {
+            o.Authority = identityServerRootUrl;
+            o.RequireHttpsMetadata = false;
+            o.TokenValidationParameters = new TokenValidationParameters
+            {
+                ValidateAudience = false,
             };
+            // etc....
+        };
 
         services
             .AddOcelot()

docs/features/authentication.rst

@@ -97,16 +97,14 @@ In order to use IdentityServer bearer tokens, register your IdentityServer servi
     public void ConfigureServices(IServiceCollection services)
     {
         var authenticationProviderKey = "TestKey";
-        Action<IdentityServerAuthenticationOptions> options = o =>
+        Action<JwtBearerOptions> options = o =>
             {
                 o.Authority = "https://whereyouridentityserverlives.com";
-                o.ApiName = "api";
-                o.SupportedTokens = SupportedTokens.Both;
-                o.ApiSecret = "secret";
+                // etc
             };
 
         services.AddAuthentication()
-            .AddIdentityServerAuthentication(authenticationProviderKey, options);
+            .AddJwtBearer(authenticationProviderKey, options);
 
         services.AddOcelot();
     }

src/Ocelot.Administration/Ocelot.Administration.csproj

@@ -31,7 +31,7 @@
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
     <PackageReference Include="IdentityServer4.AccessTokenValidation" Version="3.0.1" />
-    <PackageReference Include="IdentityServer4" Version="3.1.1" />
+    <PackageReference Include="IdentityServer4" Version="4.1.1" />
   </ItemGroup>
   <ItemGroup>
     <PackageReference Update="Microsoft.SourceLink.GitHub" Version="1.0.0" />

src/Ocelot.Administration/OcelotBuilderExtensions.cs

@@ -1,7 +1,6 @@
 using Ocelot.DependencyInjection;
 using IdentityServer4.AccessTokenValidation;
 using IdentityServer4.Models;
-using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
@@ -10,6 +9,9 @@
 using System.Collections.Generic;
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Cryptography.X509Certificates;
+using System.Linq;
+using Microsoft.IdentityModel.Tokens;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
 
 namespace Ocelot.Administration
 {
@@ -18,6 +20,7 @@ public static class OcelotBuilderExtensions
         public static IOcelotAdministrationBuilder AddAdministration(this IOcelotBuilder builder, string path, string secret)
         {
             var administrationPath = new AdministrationPath(path);
+
             builder.Services.AddSingleton<OcelotMiddlewareConfigurationDelegate>(IdentityServerMiddlewareConfigurationProvider.Get);
 
             //add identity server for admin area
@@ -32,7 +35,7 @@ public static IOcelotAdministrationBuilder AddAdministration(this IOcelotBuilder
             return new OcelotAdministrationBuilder(builder.Services, builder.Configuration);
         }
 
-        public static IOcelotAdministrationBuilder AddAdministration(this IOcelotBuilder builder, string path, Action<IdentityServerAuthenticationOptions> configureOptions)
+        public static IOcelotAdministrationBuilder AddAdministration(this IOcelotBuilder builder, string path, Action<JwtBearerOptions> configureOptions)
         {
             var administrationPath = new AdministrationPath(path);
             builder.Services.AddSingleton<OcelotMiddlewareConfigurationDelegate>(IdentityServerMiddlewareConfigurationProvider.Get);
@@ -46,11 +49,11 @@ public static IOcelotAdministrationBuilder AddAdministration(this IOcelotBuilder
             return new OcelotAdministrationBuilder(builder.Services, builder.Configuration);
         }
 
-        private static void AddIdentityServer(Action<IdentityServerAuthenticationOptions> configOptions, IOcelotBuilder builder)
+        private static void AddIdentityServer(Action<JwtBearerOptions> configOptions, IOcelotBuilder builder)
         {
             builder.Services
                 .AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
-                .AddIdentityServerAuthentication(configOptions);
+                .AddJwtBearer("Bearer", configOptions);
         }
 
         private static void AddIdentityServer(IIdentityServerConfiguration identityServerConfiguration, IAdministrationPath adminPath, IOcelotBuilder builder, IConfiguration configuration)
@@ -60,22 +63,27 @@ private static void AddIdentityServer(IIdentityServerConfiguration identityServe
                 .AddIdentityServer(o =>
                 {
                     o.IssuerUri = "Ocelot";
+                    o.EmitStaticAudienceClaim = true;
                 })
+                .AddInMemoryApiScopes(ApiScopes(identityServerConfiguration))
                 .AddInMemoryApiResources(Resources(identityServerConfiguration))
                 .AddInMemoryClients(Client(identityServerConfiguration));
 
             var urlFinder = new BaseUrlFinder(configuration);
             var baseSchemeUrlAndPort = urlFinder.Find();
             JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
 
-            builder.Services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
-                .AddIdentityServerAuthentication(o =>
+            builder.Services
+                .AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
+                .AddJwtBearer("Bearer", options =>
                 {
-                    o.Authority = baseSchemeUrlAndPort + adminPath.Path;
-                    o.ApiName = identityServerConfiguration.ApiName;
-                    o.RequireHttpsMetadata = identityServerConfiguration.RequireHttps;
-                    o.SupportedTokens = SupportedTokens.Both;
-                    o.ApiSecret = identityServerConfiguration.ApiSecret;
+                    options.Authority = baseSchemeUrlAndPort + adminPath.Path;
+                    options.RequireHttpsMetadata = identityServerConfiguration.RequireHttps;
+
+                    options.TokenValidationParameters = new TokenValidationParameters
+                    {
+                        ValidateAudience = false,
+                    };
                 });
 
             //todo - refactor naming..
@@ -91,6 +99,11 @@ private static void AddIdentityServer(IIdentityServerConfiguration identityServe
             }
         }
 
+        private static IEnumerable<ApiScope> ApiScopes(IIdentityServerConfiguration identityServerConfiguration)
+        {
+            return identityServerConfiguration.AllowedScopes.Select(s => new ApiScope(s));
+        }
+
         private static List<ApiResource> Resources(IIdentityServerConfiguration identityServerConfiguration)
         {
             return new List<ApiResource>
@@ -101,9 +114,9 @@ private static List<ApiResource> Resources(IIdentityServerConfiguration identity
                     {
                         new Secret
                         {
-                            Value = identityServerConfiguration.ApiSecret.Sha256()
-                        }
-                    }
+                            Value = identityServerConfiguration.ApiSecret.Sha256(),
+                        },
+                    },
                 },
             };
         }
@@ -117,8 +130,8 @@ private static List<Client> Client(IIdentityServerConfiguration identityServerCo
                     ClientId = identityServerConfiguration.ApiName,
                     AllowedGrantTypes = GrantTypes.ClientCredentials,
                     ClientSecrets = new List<Secret> {new Secret(identityServerConfiguration.ApiSecret.Sha256())},
-                    AllowedScopes = { identityServerConfiguration.ApiName }
-                }
+                    AllowedScopes = identityServerConfiguration.AllowedScopes,
+                },
             };
         }
     }

test/Ocelot.AcceptanceTests/AuthenticationTests.cs

@@ -278,6 +278,11 @@ private void GivenThereIsAnIdentityServerOn(string url, string apiName, string a
                     services.AddLogging();
                     services.AddIdentityServer()
                     .AddDeveloperSigningCredential()
+                        .AddInMemoryApiScopes(new List<ApiScope>
+                        {
+                            new ApiScope(apiName, "test"),
+                            new ApiScope(api2Name, "test"),
+                        })
                         .AddInMemoryApiResources(new List<ApiResource>
                         {
                             new ApiResource
@@ -286,12 +291,12 @@ private void GivenThereIsAnIdentityServerOn(string url, string apiName, string a
                                 Description = "My API",
                                 Enabled = true,
                                 DisplayName = "test",
-                                Scopes = new List<Scope>()
+                                Scopes = new List<string>()
                                 {
-                                    new Scope("api"),
-                                    new Scope("api.readOnly"),
-                                    new Scope("openid"),
-                                    new Scope("offline_access"),
+                                    "api",
+                                    "api.readOnly",
+                                    "openid",
+                                    "offline_access",
                                 },
                                 ApiSecrets = new List<Secret>()
                                 {
@@ -311,10 +316,10 @@ private void GivenThereIsAnIdentityServerOn(string url, string apiName, string a
                                 Description = "My second API",
                                 Enabled = true,
                                 DisplayName = "second test",
-                                Scopes = new List<Scope>()
+                                Scopes = new List<string>()
                                 {
-                                    new Scope("api2"),
-                                    new Scope("api2.readOnly"),
+                                    "api2",
+                                    "api2.readOnly",
                                 },
                                 ApiSecrets = new List<Secret>()
                                 {