how to use scopes in Oauth2.0 to authorize user using Express Gateway(Microservice API Gateway)? - express-gateway

I did scopes with key-auth mechanism is perfectly working, but when i use scopes with Oauth2.0 mechanism, i am getting unauthorized error.
I did without scopes, the Oauth2.0 mechanism is working perfectly. Please suggest how to solve this problem?
Following is Gateway YAML configuration:
http:
port: 8080
admin:
port: 9876
host: localhost
apiEndpoints:
api:
- host: 'localhost'
paths: ['/user', '/user/:id']
methods: ["GET"]
scopes: ["user"]
- host: 'localhost'
paths: ['/user', '/user/:id']
methods: ["PUT", "POST", "DELETE"]
scopes: ["admin"]
myApiRest:
host: 'localhost'
paths: '/posts'
serviceEndpoints:
jsonplaceholder:
url: 'http://localhost:8899'
restDummyService:
url: 'https://jsonplaceholder.typicode.com'
policies:
- basic-auth
- cors
- expression
- key-auth
- log
- oauth2
- proxy
- rate-limit
pipelines:
- name: one
apiEndpoints:
- api
policies:
- oauth2:
#- basic-auth:
#- key-auth:
- proxy:
- action:
serviceEndpoint: jsonplaceholder
changeOrigin: true
- name: two
apiEndpoints:
- myApiRest
policies:
#- key-auth:
- proxy:
- action:
serviceEndpoint: restDummyService
changeOrigin: true

Related

How to deploy grpc-web on aws?

I have a backend service that I want to expose via grpc-web.
I'm able to use the service directly via the public IP of the ec2 instance. But when I try to access it via the invocation URL of API Gateway I get a CORS error.
I want to add JWT authentication that's why I want to expose the API via API-Gateway.
Here is my configuration:
Envoy.yml
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address: { address: 0.0.0.0, port_value: 9901 }
static_resources:
listeners:
- name: listener_sim
address:
socket_address: { address: 0.0.0.0, port_value: 8080 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match: { prefix: "/" }
route:
cluster: rtdxc_service
timeout: 0s
max_stream_duration:
grpc_timeout_header_max: 0s
cors:
allow_origin_string_match:
- prefix: "*"
allow_methods: GET, PUT, DELETE, POST, OPTIONS
allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
max_age: "1728000"
expose_headers: grpc-status,grpc-message
http_filters:
- name: envoy.filters.http.grpc_web
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
- name: envoy.filters.http.cors
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
- name: envoy.filters.http.router
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: grpc_server
connect_timeout: 0.25s
type: logical_dns
http2_protocol_options: {}
lb_policy: round_robin
load_assignment:
cluster_name: rtdxc_0
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: grpc_server
port_value: 8081
Here is my docker-compose.yml
version: '3.8'
services:
grpc_server:
image: XXXXXX
user: ${UID}:${GID}
ports:
- 8081:8081
tty: true
proxy:
ports:
- 9091:9091
- 8080:8080
image: envoyproxy/envoy:v1.22.0
volumes:
- ./envoy/envoy.yml:/etc/envoy/envoy.yaml:ro
tty:
true
I have mapped API gateway with the following configuration:
ANY / mappes to the public domain of the ec2 instance on port 8080
If I add CORS configuration in the API Gateway , The OPTION request returns 204 with propper cors headers, but POST request does not return proper headers. If I disable CORS configuration in the API gateway, the OPTIONS request also fails due to CORS issue.

Express gateway return redirect 307 instead of forward requests

Scenario
I have two services service1 and service2. First is written in net5 and second in net6.
I also would like to have some gateway. I used express gateway.
I hosted it as 3 containers with docker compose.
There are 3 ports localhost:10443 for service1 localhost:10445 for service2 and localhost:10444 for gateway. But I want all traffic thru gateway.
Expected bahaviour
When I enter in my browser address localhost:10444/app/path1 I should receive response from service2. In browser I should see port 10444.
Problem
Unfortunately gateway redirects my reuqest instead of forwarding it.
It return http 307 and Location header like https://container2:10445/...
I have following express gateway config:
http:
port: 8080
https:
port: 9443
tls:
"default":
key: /var/lib/eg/certs/xyz.key
cert: /var/lib/eg/certs/xyz.crt
admin:
port: 9876
host: localhost
apiEndpoints:
service1:
paths:
- '/app/path1/*'
- '/external/*'
service2:
paths:
- '/'
- ''
- '/static/*'
- '/products/*'
serviceEndpoints:
service1end:
url: 'http://container1'
service2end:
url: 'http://container2'
policies:
- basic-auth
- cors
- expression
- key-auth
- log
- oauth2
- proxy
- rate-limit
pipelines:
pipeline1:
apiEndpoints:
- service1
policies:
- proxy:
- action:
serviceEndpoint: service1end
pipeline2:
apiEndpoints:
- service2
policies:
- proxy:
- action:
serviceEndpoint: service2end
docker compose
version: '3.4'
services:
gw:
image: express-gateway:latest
container_name: gw
depends_on:
- service1
- service2
mssql:...
redis:...
storage: ...
service1:
image: ${DOCKER_REGISTRY-}service1
container_name: service1
build:
context: .
dockerfile: somepath/Dockerfile
depends_on:
- mssql
- redis
- storage
service2:
image: ${DOCKER_REGISTRY-}service2
container_name: service2
build:
context: .
dockerfile: some path 2/Dockerfile
depends_on:
- mssql
docker compose override
version: '3.4'
services:
gw:
ports:
- 10081:8080
- 10444:9443
volumes:
- C:somepath:/var/lib/eg
mssql:
redis:
storage:
service1:
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=https://+:443;http://+:80
- ConnectionStrings__Conn=XXXX
ports:
- "10083:80"
- "10446:443"
volumes:
- ${APPDATA}/ASP.NET/Https:/root/.aspnet/https:ro
- ${APPDATA}/Microsoft/UserSecrets:/root/.microsoft/usersecrets:ro
service2:
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=https://+:443;http://+:80
- ConnectionStrings__PADb=XXXX -
ports:
- "10082:80"
- "10445:443"
volumes:
- ${APPDATA}/ASP.NET/Https:/root/.aspnet/https:ro
- ${APPDATA}/Microsoft/UserSecrets:/root/.microsoft/usersecrets:ro
volumes:
sqldbVolume:
external: false
redisVolume:
external: false

Need redirect my gateway to a enpoint (bad request)

well I need create a endpoint where can create a user, using express-gateway, in this have 2 ports running.
gateway http server listening on :::8181
admin http server listening on 127.0.0.1:9876
I can create a user sending my information to:
http://127.0.0.1:9876/users
I can't use this how my end point because have other configuration on my frontend, so in my frontend send my information for create user to:
http://localhost:8181/api/user/create
Now I need send my information to this http://localhost:8181/api/user/create and redirect internal in the gateway to this http://127.0.0.1:9876/users, I try something but just have bad gateway or not found. I call this end point users, so this is the script.
http:
port: 8181
admin:
port: 9876
host: localhost
apiEndpoints:
events:
host: localhost
paths: ["/api/events*", "/swagger*"]
methods: ["GET", "PATCH"]
users:
host: localhost
paths: "/api/user/create*"
url: "http://localhost:9876"
methods: ["POST", "OPTIONS"]
eventsCreate:
host: localhost
paths: "/api/events*"
methods: ["POST", "PUT", "OPTIONS"]
auth:
host: localhost
paths: "/api/auth*"
methods: ["POST", "GET", "OPTIONS"]
serviceEndpoints:
auth:
url: "http://localhost:59868"
events:
url: "http://localhost:5000"
users:
url: "http://localhost:9876"
policies:
- basic-auth
- cors
- expression
- key-auth
- log
- oauth2
- proxy
- rate-limit
- jwt
- request-transformer
pipelines:
authPipeline:
apiEndpoints:
- auth
policies:
- cors:
- log:
action:
message: "auth ${req.method}"
- proxy:
action:
serviceEndpoint: auth
changeOrigin: true
eventsPipeline:
apiEndpoints:
- events
policies:
- cors:
- log:
action:
message: "events ${req.method}"
- proxy:
action:
serviceEndpoint: events
changeOrigin: true
usersPipeline:
apiEndpoints:
- users
policies:
- cors:
- log:
action:
message: "users ${req.method}"
- proxy:
action:
serviceEndpoint: users
changeOrigin: true
userPipeline:
apiEndpoints:
- events
policies:
- cors:
- log:
action:
message: "events ${req.method}"
- proxy:
action:
serviceEndpoint: events
changeOrigin: true
eventsCreatePipeline:
apiEndpoints:
- eventsCreate
policies:
- cors:
- log:
action:
message: "events ${req.method}"
- jwt:
action:
secretOrPublicKey: "MORTADELAIsMyPassion321"
checkCredentialExistence: false
- proxy:
action:
serviceEndpoint: events
changeOrigin: true

You are trying to map the incoming URL http://localhost:8181/api/user/create to the Express Gateway administration URL http://localhost:9876/users, but your proxy policy only changes the hostname and port components of the URL, not the path.
This is described in the Path Management section of the Proxy documentation.
To change the path, you'll need to either adjust the existing users service endpoint or create a new one, and add some instructions to the proxy middleware configuration:
For example, add a new ServiceEndpoint called userCreate:
serviceEndpoints:
auth:
url: "http://localhost:59868"
userCreate:
url: "http://localhost:9876/users"
users:
url: "http://localhost:9876"
And then refer to the new service endpoint and set stripPath in the proxy configuration:
- proxy:
action:
serviceEndpoint: userCreate
changeOrigin: true
stripPath: true

how to rename endpoints with express gateway?

i am trying to build an api that consists of different services and i want to everything to start with /api/ path. like the following below.
i want https://thirdparthy/comments to be routed as /api/comments on express gateway. what is the correct confirmation?
http:
port: 4000
admin:
port: 9876
hostname: localhost
apiEndpoints:
users:
host: localhost
paths: '/api/users'
comments:
host: localhost
paths: '/api/comments'
serviceEndpoints:
users:
url: 'https://jsonplaceholder.typicode.com/users'
comments:
url: 'https://jsonplaceholder.typicode.com/comments'
policies:
- basic-auth
- cors
- expression
- key-auth
- log
- oauth2
- proxy
- rate-limit
pipelines:
users:
apiEndpoints:
- users
policies:
- proxy:
- action:
serviceEndpoint: users
prependPath: false
ignorePath: false
comments:
apiEndpoints:
- comments
policies:
- proxy:
- action:
serviceEndpoint: comments
prependPath: false
ignorePath: false

you can either use the rewrite policy to change the target url or simply configure the proxy policy accordingly:
- proxy:
- action:
serviceEndpoint: comments
prependPath: true
ignorePath: false
This should do the job.
Cheers,
V.

cookies header not present in swagger?

0 with express-session but i am not able to send the cookie i.e session.sid in header.its showing in curl but its not showing in server. So can anyone help me how to set it?
swagger: '2.0'
info:
description: This is the list of API pr
version: 1.0.0
tags:
- name: developers
description: Operations available to regular developers
host: localhost:3000
schemes:
- http
securityDefinitions:
api_key:
type: apiKey
name: cookie
in: header
/api/details/{id}:
get:
summary: List all
description: ""
produces:
- application/json
parameters:
- name: id
in: path
required: true
type: integer
security:
- api_key: []
responses:
200:
description: " "