We’ve implemented a stand-alone Auth Microservice which uses CredentialsAuthProvider, MicrosoftGraphAuthProvider and JwtAuthProvider to secure an existing monolithic ASP.NET app. The auth service (NET Core, S/S 5.9) is hosted at auth.example.com and the main app is hosted at example.com.
The application is multi-tenancy, and one tenant uses credentials, the other uses MS sign-on. For credentials users, this is working well. We use the example https://docs.servicestack.net/jwt-authprovider#retrieve-token-from-central-auth-server-using-credentials-auth where we authenticate with given credentials and obtain the BearerToken in the response. Through the ServiceClient we can make calls to other experimental APIs.
OAuth flow is not working for us though. On our sign-on page (back in example.com) we simply redirect to the MS endpoint auth.example.com/auth/microsoftgraph which in turns directs through the MS Oauth flow. Under successful sign-on a redirect takes us back to example.com which is defined in appsettings “oauth.RedirectUrl”. This is all working fine, but back in example.com we’re not authenticated. We won’t have the session as this was stored under auth.example.com so a call to ConvertSessionToToken results in Unauthorized exception.
Do you have an example of a microservice which uses JWT with OAuth and a standalone client app so I can better understand the flow?
btw all flows work fine when running both apps on localhost