Route based on claims

[Ghostbird]

Is it possible to select a route based on the Claims of the HttpContext.User?
My use case is that request by one user should take use a different route than requests by another user.

E.g. a request for /foo by user A should proxy to https://example.com/foo and transform the request to use a client certificate. However a request for /foo by user B should proxy to https://contoso.com/foo and use OIDC client-credentials to get a token for that call.

It seems a problem will be that Authorization is predicated on routing in YARP which seems to create a catch-22. My middleware must run before routing, but it needs the authenticated identity, which is only known after routing.

[Tratcher]

Nothing built in, though there are manual ways you could do it. See:
https://github.com/dotnet/yarp/blob/5e0bbb4375b1385ff6a7cafe47fb6217854656d2/samples/ReverseProxy.Direct.Sample/README.md
Or

yarp/src/ReverseProxy/Model/HttpContextFeaturesExtensions.cs

Line 49 in 5e0bbb4

public static void ReassignProxyRequest(this HttpContext context, ClusterState cluster)

Part of the problem is that the type of auth to be performed can be specified per route in aspnetcore, so auth happens after routing.

Do you have auth setup so that it happens before requests and is route independent?

[Ghostbird]

Authentication and Authorization before routing is set. I've still not found a way to customise route selection based on claims, nor how to do a per-request selection of the client certificate used.

[Ghostbird]

Actually, maybe I misunderstood your answer. Can the ReassignProxyRequest be used to reassign the target cluster only for that specific request? Then I would just need a way to dynamically generate clusters based on a configuration, one per configured client-certificate.

[Tratcher]

Yes, ReassignProxyRequest is per request. Though it sounds like you want something even more flexible like direct forwarding:
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/yarp/direct-forwarding?view=aspnetcore-9.0

[Ghostbird]

Thank you! I would like to avoid using the direct-forwarding, since I do use several YARP features that I fear I would have to implement manually. Maybe that's unavoidable.

[Ghostbird]

I ran into something similar again this week. We're a multi-tenant platform one use-case for our YARP gateway is that we want to connect a tenant to an external multi-tenant API that uses client-certificate authentication. In this case we want to configure one endpoint on the proxy, configure a tenant-certificate mapping and have the outgoing TLS connection use the specific tenant's client certificate for proxied requests coming from that tenant.