Security
The OidcProxy is an identity-aware reverse proxy. It is a framework that's designed to be used with SPA-based web applications. It authenticates users and it manages their sessions. It is designed to enhance security by keeping the access_token
and the refresh_token
hidden from the browser while still allowing the proxy itself to handle and use these tokens. It includes them in downstream requests. This approach helps mitigate potential security risks associated with token exposure.
access_tokens
in the requests to backend services.client_secret
to obtain tokens which means it is impossible for unknown computers to obtain tokens in any way.access_token
, id_token
, and refresh_token
are not visible to the browser. This enhances security by preventing these sensitive tokens from being exposed to potential attackers via the browser.Authorization=Bearer [ACCESS_TOKEN]
header to each downstream request.To get started, configure your identity provider. Create a Client that uses the Authorization Code
grant with PKCE. It must provide refresh tokens too. This client will have a client_id
and a client_secret
. Use those to scaffold a boilerplate project:
# Download and install the template pack first
dotnet new install OidcProxy.Net.Templates
# Scaffold the proxy
dotnet new OidcProxy.Net --backend "https://api.myapp.com"
--idp "https://idp.myapp.com"
--clientId xyz
--clientSecret abc
# Run it
dotnet run
Check out our demos too:
dotnet new web
dotnet add package OidcProxy.Net.OpenIdConnect
Program.cs
:
using OidcProxy.Net.ModuleInitializers;
using OidcProxy.Net.OpenIdConnect;
var builder = WebApplication.CreateBuilder(args);
var config = builder.Configuration
.GetSection("OidcProxy")
.Get<OidcProxyConfig>();
builder.Services.AddOidcProxy(config);
// Or, in case of an identity provider that uses Json Web Encryption:
// var key = new SymmetricSecurityKey(
// Convert.FromBase64String("DRjd/GnduI3Efzen9V9BvbNUfc/VKgXltV7Kbk9sMkY=")
// );
//
// builder.Services.AddOidcProxy(config, o => o.UseEncryptionKey(new SymmetricKey(key)));
var app = builder.Build();
app.UseOidcProxy();
app.Run();
appsettings.json
:
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"OidcProxy": {
"LandingPage": "/hello",
"Oidc": {
"ClientId": "clientid",
"ClientSecret": "secret",
"Authority": "https://login.yoursite.com/"
},
"ReverseProxy": {
"Routes": {
"api": {
"ClusterId": "api",
"Match": {
"Path": "/api/{*any}"
}
}
},
"Clusters": {
"api": {
"Destinations": {
"api/node1": {
"Address": "http://localhost:8080/"
}
}
}
}
}
}
}
OidcProxy.Net was developed to be used in cloud environments. This is why it has mainly been designed to work well in containerised environments.
OidcProxy.Net was designed to work well in container platforms. It's been designed to work well when scaled both horizontally as vertically. To scale the proxy vertically, use Redis as a back-bone.
OidcClient.Net has the following features:
Authorization
attribute, Policies, and many other ASP.NET Identity featureThe OidcProxy does not just forward traffic to down-stream services, it adds the Authentication
header to the forwarded requests too. This is illustrated in the following diagram:
The user also uses the proxy to initiate the authentication procedure. That's done by navigating to a special endpoint: the /.auth/login
endpoint.
This process is visualised in the following diagram:
The development of our product was driven by our clients’ need for a straightforward authentication gateway. Existing market options introduced complexities in terms of pricing and licensing, or proved to be overly intricate for beginners to comprehend and utilize effectively.
Consequently, organizations are forced to make a trade-off between maintainability and security. In today’s automated society, this compromise is unacceptable.
Hence, our mission is to offer an affordable, developer-friendly, secure, identity-aware BFF Framework that can be implemented by anyone.
We need your feedback. Like any other software product, it is impossible to be successful without user-feedback. Please take a moment of your time to fill out this form: https://forms.gle/a6uuwFSLSAod52MH9