Configure endpoint authorization with OAuth

Dapr OAuth 2.0 middleware allows you to enable authorization on Dapr endpoints for your web APIs using the Authorization Code Grant flow. You can also inject authorization tokens into your endpoint APIs which can be used for authorization towards external APIs called by your APIs using the . When the middleware is enabled any method invocation through Dapr needs to be authorized before getting passed to the user code.

The main difference between the two flows is that the needs user interaction and authorizes a user where the doesn’t need a user interaction and authorizes a service/application.

Different authorization servers provide different application registration experiences. Here are some samples:

Client ID (see here)
Client secret (see )
Scopes (see here)
Token URL

Authorization/Token URLs of some of the popular authorization servers:

An OAuth middleware (Authorization Code) is defined by a component:

Define a custom pipeline for an Authorization Code Grant

To use the OAuth middleware (Authorization Code), you should create a custom pipeline using , as shown in the following sample:

Define a custom pipeline for a Client Credentials Grant

To use the OAuth middleware (Client Credentials), you should create a using Dapr configuration, as shown in the following sample:

To apply the above configuration (regardless of grant type) to your Dapr sidecar, add a annotation to your pod spec:

Once everything is in place, whenever a client tries to invoke an API method through Dapr sidecar (such as calling the v1.0/invoke/ endpoint), it will be redirected to the authorization’s consent page if an access token is not found. Otherwise, the access token is written to the authHeaderName header and made available to the app code.