The ASP.NET Core Razor page UI project initializes the authentication using the AddMicrosoftIdentityWebAppAuthentication method and the EnableTokenAcquisitionToCallDownstreamApi method. Var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new ") Var client = _clientFactory.CreateClient() Public LegacyViaProxyService(IHttpClientFactory clientFactory, Private readonly IConfiguration _configuration Private readonly ITokenAcquisition _tokenAcquisition Private readonly IHttpClientFactory _clientFactory To implement the reverse proxy and secure it using the Azure AD IdentityProvider, we use two Nuget packages, Yarp.ReverseProxy and. To test the reverse proxy, a simple ASP.NET Core Razor page application is used to authenticate against Azure AD, to get an access token using the ITokenAcquisition interface and use the access token to access the reverse proxy API. The Yarp ASP.NET Core application uses the Nuget package to secure the reverse proxy and if a HTTP request has a valid access token, the HTTP request is forwarded to the legacy API. Updated to Yarp.ReverseProxy nuget packages and 1.8.2 Updated Yarp.ReverseProxy nuget packages, Nuget packages Securing the API directly would always be the best solution if this is possible.
#Auth proxy vs reverse proxy update
Sometimes it is not possible to update an existing or old API within a reasonable price and the financially best way to use it in a public domain or using modern security is to use a reverse proxy and isolate the API through the proxy. The security is implemented using Azure AD and. This can be found by clicking on your Distribution ID, under the General tab, Domain Name (for example, ).This article shows how a legacy API could be protected using an ASP.NET Core Yarp reverse proxy and Azure AD OAuth. Note that the Status will reflect In progress until the distribution is Deployed.Īdd a new CNAME record to your DNS for your custom domain pointing to the CloudFront Domain Name for your Distribution. You'll see your newly-created distribution in your CloudFront Distributions list. Scroll to the bottom of the page and click Create Distribution. Do the same for Authorization, Origin, Referer, Accept-Language, and Accept headers. Select GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETEĮnter User-Agent and click Add Custom > to add the custom header.
Here are the values you'll need to change Set to the CNAME API Key value that you were given immediately after you verified ownership of your domain name with Auth0Ĭonfigure the Default Cache Behavior Settings. Provide information on the Origin Custom Headers (the Header Name and Value fields appear only after you've provided an Origin Domain Name) Set to the SSL Certificate for your custom domain stored in AWS Certificate Manager (ACM) in the US East(N. Set to your custom domain name (the same one your configured in the Auth0 Dashboard) This value lets you distinguish between multiple origins in the same distribution and therefore must be unique. Set this to the Origin Domain Name value obtained from the Auth0 Dashboard during the Custom Domains setup processĪ description for the origin. Here are the values you'll need to change. Click Get Started under the Web section.Ĭonfigure your distribution settings. You can choose the delivery method for your content. Log in to AWS, and navigate to CloudFront. You can configure AWS CloudFront for use as the reverse proxy with custom domain names for your Auth0 tenant. To learn more, read:Ĭentralized Universal Login vs. Your Auth0 subscription plan and the login method you choose can affect feature availability.