Obtain JWT from Auth Microservice using OAuth

We’ve implemented a stand-alone Auth Microservice which uses CredentialsAuthProvider, MicrosoftGraphAuthProvider and JwtAuthProvider to secure an existing monolithic ASP.NET app. The auth service (NET Core, S/S 5.9) is hosted at auth.example.com and the main app is hosted at example.com.

The application is multi-tenancy, and one tenant uses credentials, the other uses MS sign-on. For credentials users, this is working well. We use the example https://docs.servicestack.net/jwt-authprovider#retrieve-token-from-central-auth-server-using-credentials-auth where we authenticate with given credentials and obtain the BearerToken in the response. Through the ServiceClient we can make calls to other experimental APIs.

OAuth flow is not working for us though. On our sign-on page (back in example.com) we simply redirect to the MS endpoint auth.example.com/auth/microsoftgraph which in turns directs through the MS Oauth flow. Under successful sign-on a redirect takes us back to example.com which is defined in appsettings “oauth.RedirectUrl”. This is all working fine, but back in example.com we’re not authenticated. We won’t have the session as this was stored under auth.example.com so a call to ConvertSessionToToken results in Unauthorized exception.

Do you have an example of a microservice which uses JWT with OAuth and a standalone client app so I can better understand the flow?

Thank you.

btw all flows work fine when running both apps on localhost

You can only call the Convert to Sessions to Tokens APIs on the server that has the authenticated session, I’m assuming from that description that the client would call that on auth.example.com where they have the server session then use the returning JWT Key on other services configured with the same keys.

Note: to have ConvertSessionToToken API return the JWT in a Response DTO (i.e. instead of just ss-tok Cookie) the JwtAuthProvider needs to configured to include:

new JwtAuthProvider(...) {
    IncludeJwtInConvertSessionToTokenResponse = true