RouteClaimsRequirement not enforced even when token is authenticated and contains required claim

[Naihan]

When using RouteClaimsRequirement in Ocelot with Azure AD and a validated JWT token, Ocelot logs "No authorization needed for upstream path" and does not enforce the claim check, even though:

• The route has valid AuthenticationOptions and RouteClaimsRequirement
• The token is successfully authenticated.
• The token includes the required claim.

Expected behavior, Ocelot should:

• Match the route
• Authenticate the token using the registered scheme
• Evaluate the RouteClaimsRequirement
• Return 403 Forbidden if claim is missing or invalid
• Instead, Ocelot skips claim checking entirely.

c# code

builder.Configuration.AddJsonFile("ocelot.json");

builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration, configSectionName: "AzureAd");

builder.Services.AddOcelotAzureAdAuthatication(builder.Configuration, configSectionName: "AzureAd"); //custom service that authanticate using azure ad

builder.Services.AddOcelot();

builder.Services.AddAuthorization();

var app = builder.Build();

app.UseMiddleware<AzureAdAuthaticationMiddlware>(); //custom middlware that authanticate using azure ad
app.UseAuthentication();
app.UseAuthorization();

await app.UseOcelot();

app.Run();

ocelot.json

{
  "Routes": [
    {
      "DownstreamPathTemplate": "/data",
      "DownstreamScheme": "https",
      "DownstreamHostAndPorts": [
        {
          "Host": "api.example.com",
          "Port": 443
        }
      ],
      "UpstreamPathTemplate": "/data",
      "UpstreamHost": "grafana.example.com",
      "UpstreamHttpMethod": [ "GET", "POST", "PUT", "DELETE" ],
      "AuthenticationOptions": {
        "AuthenticationProviderKey": "Bearer"
      },
      "RouteClaimsRequirement": {
        "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [ "non-exiting-role" ]
      }
    }
  ],
  "GlobalConfiguration": {
    "BaseUrl": "https://localhost:5000"
  }

the jwt contains a claim :

"claim": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" = "Admin"

logs show:

Client has been authenticated for path '/data'
No authorization needed for upstream path: /data

full log:

info: Microsoft.Hosting.Lifetime[14]
      Now listening on: https://[::]:5000
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
      Content root path: C:\Users\NimrodDavidKenDror\source\repos\Nanox.Cloud.ApiGateway\src\Nanox.Cloud.ApiGateway
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 GET https://grafana.example.com:5000/data - - -
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      Microsoft.IdentityModel Version: 7.6.2.0. Date 05/01/2025 21:08:10. PII logging is OFF. See https://aka.ms/IdentityModel/PII for details.
      IDX10242: Security token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' has a valid signature.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10239: Lifetime of the token is valid.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10234: Audience Validated.Audience: '4994c85b-df6f-4923-9c63-b41c02f21cd9'
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
      IDX10245: Creating claims identity from the validated token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
info: Ocelot.RateLimiting.Middleware.RateLimitingMiddleware[0]
      RequestId: 0HNC8UH3CEF3K:00000001, PreviousRequestId: -
      EnableEndpointEndpointRateLimiting is not enabled for downstream path: /data
info: Ocelot.Authentication.Middleware.AuthenticationMiddleware[0]
      RequestId: 0HNC8UH3CEF3K:00000001, PreviousRequestId: -
      The path '/data' is an authenticated route! AuthenticationMiddleware checking if client is authenticated...
info: Ocelot.Authentication.Middleware.AuthenticationMiddleware[0]
      RequestId: 0HNC8UH3CEF3K:00000001, PreviousRequestId: -
      Client has been authenticated for path '/data' by 'AuthenticationTypes.Federation' scheme.
info: Ocelot.Authorization.Middleware.AuthorizationMiddleware[0]
      RequestId: 0HNC8UH3CEF3K:00000001, PreviousRequestId: -
      route is authenticated scopes must be checked
info: Ocelot.Authorization.Middleware.AuthorizationMiddleware[0]
      RequestId: 0HNC8UH3CEF3K:00000001, PreviousRequestId: -
      user scopes is authorized calling next authorization checks
info: Ocelot.Authorization.Middleware.AuthorizationMiddleware[0]
      RequestId: 0HNC8UH3CEF3K:00000001, PreviousRequestId: -
      No authorization needed for upstream path: /data
info: Ocelot.Requester.Middleware.HttpRequesterMiddleware[0]
      RequestId: 0HNC8UH3CEF3K:00000001, PreviousRequestId: -
      200 OK status code of request URI: https://api.example.com/data
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 GET https://grafana.example.com:5000/data - 200 - application/json;+charset=utf-8 1713.5335ms
info: Microsoft.AspNetCore.Hosting.Diagnostics[16]
      Request reached the end of the middleware pipeline without being handled by application code. Request path: GET https://grafana.example.com:5000/data, Response status code: 200

[raman-m]

Hello, @Naihan !
What is your name and LinkedIn?

Is this a question or a bug?
In Authentication doc we don't mention that Ocelot supports Azure AD officially.

---

app.UseMiddleware<AzureAdAuthaticationMiddlware>(); //custom middlware that authanticate using azure ad
app.UseAuthentication();
app.UseAuthorization();

OK And what's inside of the AzureAdAuthaticationMiddlware class? Can you show the code?

---

      "AuthenticationOptions": {
        "AuthenticationProviderKey": "Bearer"
      },

And where is located JWT setup? Where and how do you add JWT handler aka AddJwtBearer method?
So, how do you add Bearer auth scheme via services in DI?

[raman-m]

the jwt contains a claim :

"claim": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" = "Admin"

      "RouteClaimsRequirement": {
        "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [ "non-exiting-role" ]
      }

I have come across discussions or repo issues suggesting that claim names in the form of links are not supported in Ocelot. This could potentially pose an issue. I will look into related at a later time.

TODO → Search for RouteClaimsRequirement

[raman-m]

@Naihan Look into this → #913 (comment)

private readonly string _msScope = "http://schemas.microsoft.com/identity/claims/scope";

Does this align with your user scenario when the scope name is presented as a link?
And, will PR #1478 address your issue?

[raman-m]

• Ocelot doesn't handle correctly RouteClaimsRequirement with a key as an Url #679

I was referring to this exact issue. Is it similar to yours?
It is promising that #679 includes many prepared classes to address the problem, unfortunately, no one has submitted a pull request yet.

[Naihan]

hay @raman-m
My Name is Nimrod and my LinkedIn is
https://il.linkedin.com/in/dnimrod

It might be a bug...
I know that you do not support Azure active directory. What I initially did is create a middleware that gets called before ocelot and redirects a user to Azure ID for authentication for implicit flow and redirects back.
when the user gets redirect back he holds a standard jwt token that should work. Sifting through your code I see that you use IOptions to serialize the RouteClaimsRequirement and its dropping format like the role claim that i have.

the

builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration, configSectionName: "AzureAd"); 

adds a Bearer scheme

[raman-m]

What I initially did is create a middleware that gets called before ocelot and redirects a user to Azure ID for authentication for implicit flow and redirects back.

Sounds like a lifehack! 😄 We don’t recommend adding middleware before or after calling UseOcelot().
Instead, I suggest developing a custom authentication middleware and injecting it directly into the Ocelot pipeline using the Middleware Injection feature.

[Naihan]

What I initially did is create a middleware that gets called before ocelot and redirects a user to Azure ID for authentication for implicit flow and redirects back.

Sounds like a lifehack! 😄 We don’t recommend adding middleware before or after calling UseOcelot(). Instead, I suggest developing a custom authentication middleware and injecting it directly into the Ocelot pipeline using the Middleware Injection feature.

Great! i will try it

[Naihan]

I know that you do not support Azure active directory.

That’s funny! Not me personally, but the Ocelot product doesn’t support it. 😄 Still, I agree—it’s a bad situation nowadays, not supporting the most popular cloud identity provider in the .NET dev world, Azure AD. As a team, we need to plan a separate milestone for upgrading Ocelot to support Azure AD (aka Entra ID).

i dont mind sharing the code ive weitten for ad support

[Naihan]

It might be a bug...

We have to provide evidence for this and write the "Steps to Reproduce".

Are you able to write acceptance tests to catch the bug? (AuthenticationTests vs AuthorizationTests) I don’t have time to do it myself, as I’m currently busy with post-v24 release activities.

yes, i will post it soon

[raman-m]

When?