Ocelot Gateway not passing authorization header to API Routes in ASP.NET Core 6 MVC

by

I have a solution in ASP.NET Core 6 MVC with 3 projects:

  1. Web Application Portal (UI)
  2. Ocelot Gateway
  3. API

As you can see, I have multiple projects, and each is linked with each other.

The project works in a way that the Portal sends a request to Gateway (Ocelot) and then Gateway routes that request to the API. So, what happens in between is that when Gateway routes the request to API, it does not send the Authorization Header, somehow the ocelot gateway is stripping off the Authorization Header. So, when the request reaches the API, it does not have the Authorization Header present in the request and hence it gives 401.

Can anyone tell me what could be the reason for Ocelot to strip off the “Authorization Header”?

My Ocelot configuration is very simple, here it is:

var builder = WebApplication.CreateBuilder(args);
builder.Configuration.AddJsonFile("Settings.json", false, true);
builder.Services.AddOcelot(builder.Configuration);
builder.Services.ConfigureCors();

var app = builder.Build();
app.UseCors("CorsPolicy");

app.MapControllers();
await app.UseOcelot();
app.Run();

And here is the ConfigureCors extension method:

public static void ConfigureCors(this IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddPolicy("CorsPolicy", builder =>
        builder.AllowAnyOrigin()
        .AllowAnyMethod()
        .AllowAnyHeader());
    });
}

Here is my Ocelot.json or in my case Settings.json file with the routes:

{
  "Routes": [{
  "DownstreamPathTemplate": "/api/Admin/SurveyResult",
  "DownstreamScheme": "http",
  "DownstreamHostandPorts": [
    {
      "Host": "localhost",
      "Port": "5276"
    }
  ],
  "UpstreamPathTemplate": "/api/Admin/SurveyResult",
  "UpstreamHttpMethod": [ "POST" ]
}]}

I tried adding middleware in the Ocelot Gateway, which made me understood that the Ocelot Gateway is receiving the header but not forwarding it, even if I manually add the Authorization Header via the middleware it still strips off the Authorization Header

  • Hi @Hamzah Saleem, What if you set "DangerousAcceptAnyHeaderValue":true in your Ocelot.json? Also, what is the type of your authorization? If you use specific authorization header, you could refer to this answer.

    – 

Leave a Comment