Secure orders api and add bearer token in calls from MVC application to orders api.

docker-compose.yml

@@ -8,10 +8,10 @@ services:
       dockerfile: Dockerfile
     environment:
       - CatalogUrl=http://catalog.api
-      - OrderingUrl=http://ordering.api
+      - OrderingUrl=http://ordering.api:5102
       #- IdentityUrl=http://104.40.62.65:5105           #Remote: VM Needs to have public access at 5105. 
       - IdentityUrl=http://identity.service:5105        #Local: You need a entry in windows host file to run identity in local docker. 
-      - BasketUrl=http://basket.api
+      - BasketUrl=http://basket.api:5103
     ports:
       - "5100:5100"
     depends_on:
@@ -28,7 +28,7 @@ services:
       - OrderingUrl=http://ordering.api
       #- IdentityUrl=http://104.40.62.65:5105           #Remote: VM Needs to have public access at 5105. 
       - IdentityUrl=http://identity.service:5105        #Local: You need a entry in windows host file to run identity in local docker. 
-      - BasketUrl=http://basket.api
+      - BasketUrl=http://basket.api:5103
     ports:
       - "5104:80"
     depends_on:
@@ -95,8 +95,10 @@ services:
     image: eshop/ordering.api
     environment:
       - ConnectionString=Server=ordering.data;Database=Microsoft.eShopOnContainers.Services.OrderingDb;User Id=sa;Password=Pass@word
+      - identityUrl=http://identity.service:5105    #local
+      #- identityUrl=http://104.40.62.65:5105       #remote
     ports:
-      - "5102:80"
+      - "5102:5102"
     depends_on:
       - ordering.data
 

eShopOnContainers.sln

@@ -800,54 +800,54 @@ Global
 		{95F1F07C-4D92-4742-BD07-E5B805AAB651}.Release|x64.Build.0 = Release|Any CPU
 		{95F1F07C-4D92-4742-BD07-E5B805AAB651}.Release|x86.ActiveCfg = Release|Any CPU
 		{95F1F07C-4D92-4742-BD07-E5B805AAB651}.Release|x86.Build.0 = Release|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Ad-Hoc|Any CPU.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Ad-Hoc|Any CPU.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Ad-Hoc|ARM.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Ad-Hoc|ARM.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Ad-Hoc|iPhone.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Ad-Hoc|iPhone.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Ad-Hoc|iPhoneSimulator.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Ad-Hoc|iPhoneSimulator.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Ad-Hoc|x64.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Ad-Hoc|x64.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Ad-Hoc|x86.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Ad-Hoc|x86.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.AppStore|Any CPU.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.AppStore|Any CPU.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.AppStore|ARM.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.AppStore|ARM.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.AppStore|iPhone.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.AppStore|iPhone.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.AppStore|iPhoneSimulator.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.AppStore|iPhoneSimulator.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.AppStore|x64.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.AppStore|x64.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.AppStore|x86.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.AppStore|x86.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Debug|ARM.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Debug|ARM.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Debug|iPhone.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Debug|iPhone.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Debug|iPhoneSimulator.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Debug|iPhoneSimulator.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Debug|x64.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Debug|x64.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Debug|x86.Build.0 = Debug|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Release|Any CPU.Build.0 = Release|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Release|ARM.ActiveCfg = Release|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Release|ARM.Build.0 = Release|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Release|iPhone.ActiveCfg = Release|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Release|iPhone.Build.0 = Release|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Release|iPhoneSimulator.ActiveCfg = Release|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Release|iPhoneSimulator.Build.0 = Release|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Release|x64.ActiveCfg = Release|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Release|x64.Build.0 = Release|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Release|x86.ActiveCfg = Release|Any CPU
-		{621E7211-58D0-45FD-9600-1CB490BD930E}.Release|x86.Build.0 = Release|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Ad-Hoc|Any CPU.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Ad-Hoc|Any CPU.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Ad-Hoc|ARM.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Ad-Hoc|ARM.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Ad-Hoc|iPhone.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Ad-Hoc|iPhone.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Ad-Hoc|iPhoneSimulator.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Ad-Hoc|iPhoneSimulator.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Ad-Hoc|x64.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Ad-Hoc|x64.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Ad-Hoc|x86.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Ad-Hoc|x86.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.AppStore|Any CPU.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.AppStore|Any CPU.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.AppStore|ARM.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.AppStore|ARM.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.AppStore|iPhone.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.AppStore|iPhone.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.AppStore|iPhoneSimulator.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.AppStore|iPhoneSimulator.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.AppStore|x64.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.AppStore|x64.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.AppStore|x86.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.AppStore|x86.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Debug|ARM.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Debug|ARM.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Debug|iPhone.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Debug|iPhone.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Debug|iPhoneSimulator.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Debug|iPhoneSimulator.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Debug|x64.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Debug|x86.Build.0 = Debug|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Release|Any CPU.Build.0 = Release|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Release|ARM.ActiveCfg = Release|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Release|ARM.Build.0 = Release|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Release|iPhone.ActiveCfg = Release|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Release|iPhone.Build.0 = Release|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Release|iPhoneSimulator.ActiveCfg = Release|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Release|iPhoneSimulator.Build.0 = Release|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Release|x64.ActiveCfg = Release|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Release|x64.Build.0 = Release|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Release|x86.ActiveCfg = Release|Any CPU
+		{A579E108-5445-403D-A407-339AC4D1611B}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

src/Mobile/eShopOnContainers/eShopOnContainers.TestRunner.Droid/eShopOnContainers.TestRunner.Droid.csproj

@@ -16,7 +16,7 @@
     <AndroidResgenFile>Resources\Resource.Designer.cs</AndroidResgenFile>
     <GenerateSerializationAssemblies>Off</GenerateSerializationAssemblies>
     <AndroidUseLatestPlatformSdk>True</AndroidUseLatestPlatformSdk>
-    <TargetFrameworkVersion>v7.0</TargetFrameworkVersion>
+    <TargetFrameworkVersion>v6.0</TargetFrameworkVersion>
     <AndroidManifest>Properties\AndroidManifest.xml</AndroidManifest>
     <NuGetPackageImportStamp>
     </NuGetPackageImportStamp>

src/Services/Basket/Basket.API/Dockerfile

@@ -2,5 +2,5 @@ FROM microsoft/aspnetcore:1.0.1
 ENTRYPOINT ["dotnet", "Basket.API.dll"]
 ARG source=.
 WORKDIR /app
-EXPOSE 80
+ENV ASPNETCORE_URLS http://*:5103
 COPY $source .

src/Services/Basket/Basket.API/Program.cs

@@ -15,7 +15,8 @@ namespace Microsoft.eShopOnContainers.Services.Basket.API
             var host = new WebHostBuilder()
                 .UseKestrel()
                 .UseContentRoot(Directory.GetCurrentDirectory())
-                .UseIISIntegration()
+                .UseUrls("http://0.0.0.0:5103")
+                //.UseIISIntegration()
                 .UseStartup<Startup>()
                 .Build();
 

src/Services/Basket/Basket.API/Startup.cs

@@ -68,7 +68,7 @@ namespace Microsoft.eShopOnContainers.Services.Basket.API
             // Use frameworks
             app.UseCors("CorsPolicy");
 
-            var identityUrl = Configuration.GetValue(typeof(string), "IdentityUrl");
+            var identityUrl = Configuration.GetValue<string>("IdentityUrl");
 
             app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
             {

src/Services/Identity/eShopOnContainers.Identity/appsettings.json

@@ -1,7 +1,7 @@
 {
   "ConnectionStrings": {
-    "DefaultConnection": "Server=identity.data;Database=aspnet-Microsoft.eShopOnContainers;User Id=sa;Password=Pass@word"
-    //"DefaultConnection": "Server=127.0.0.1,5433;Database=aspnet-Microsoft.eShopOnContainers;User Id=sa;Password=Pass@word"
+    //"DefaultConnection": "Server=identity.data;Database=aspnet-Microsoft.eShopOnContainers;User Id=sa;Password=Pass@word"
+    "DefaultConnection": "Server=127.0.0.1,5433;Database=aspnet-Microsoft.eShopOnContainers;User Id=sa;Password=Pass@word"
   },
   "MvcClient": "http://localhost:5100",
   "SpaClient": "http://localhost:5104",

src/Services/Ordering/Ordering.API/Controllers/OrdersController.cs

@@ -2,6 +2,7 @@
 {
     using Application.Commands;
     using Application.Queries;
+    using AspNetCore.Authorization;
     using MediatR;
     using Microsoft.AspNetCore.Mvc;
     using Models;
@@ -9,6 +10,7 @@
     using System.Threading.Tasks;
 
     [Route("api/v1/[controller]")]
+    [Authorize]
     public class OrdersController : Controller
     {
         private readonly IMediator _mediator;
@@ -34,9 +36,12 @@
         [HttpPost]
         public async Task<IActionResult> AddOrder([FromBody]NewOrderViewModel order)
         {
+            if (order.CardExpiration == DateTime.MinValue)
+                order.CardExpiration = DateTime.Now;
+
             var newOrderRequest = new NewOrderRequest()
             {
-                Buyer =GetUserName(), //TODO
+                Buyer = GetUserName(), 
                 CardTypeId = 1, //TODO
                 CardHolderName = order.CardHolderName,
                 CardNumber = order.CardNumber,
@@ -85,9 +90,13 @@
             return Ok(cardTypes);
         }
 
+        /// <summary>
+        /// Returns the GUID corresponding to the Id of the authenticated user.
+        /// </summary>
+        /// <returns>GUID (string)</returns>
         string GetUserName()
         {
-            return "MOCK";
+            return HttpContext.User.FindFirst("sub").Value;
         }
     }
 

src/Services/Ordering/Ordering.API/Dockerfile

@@ -4,5 +4,5 @@ FROM microsoft/aspnetcore:1.0.1
 ENTRYPOINT ["dotnet", "Ordering.API.dll"]
 ARG source=.
 WORKDIR /app
-EXPOSE 80
+ENV ASPNETCORE_URLS http://*:5102
 COPY $source .

src/Services/Ordering/Ordering.API/Program.cs

@@ -15,9 +15,9 @@ namespace Microsoft.eShopOnContainers.Services.Ordering.API
             var host = new WebHostBuilder()
                 .UseKestrel()
                 .UseContentRoot(Directory.GetCurrentDirectory())
-                .UseIISIntegration()
+                //.UseIISIntegration()
                 .UseStartup<Startup>()
-                //.UseUrls("http://localhost:5555")  //Just for KESTREL
+                .UseUrls("http://0.0.0.0:5102")
                 .Build();
 
             host.Run();

src/Services/Ordering/Ordering.API/Properties/launchSettings.json

@@ -3,7 +3,7 @@
     "windowsAuthentication": false,
     "anonymousAuthentication": true,
     "iisExpress": {
-      "applicationUrl": "http://localhost:2446/",
+      "applicationUrl": "http://localhost:5102/",
       "sslPort": 0
     }
   },

src/Services/Ordering/Ordering.API/Startup.cs

@@ -68,6 +68,15 @@
                 });
             });
 
+            services.AddCors(options =>
+            {
+                options.AddPolicy("CorsPolicy",
+                    builder => builder.AllowAnyOrigin()
+                    .AllowAnyMethod()
+                    .AllowAnyHeader()
+                    .AllowCredentials());
+            });
+
             services.AddSingleton<IConfiguration>(this.Configuration);
 
             services.AddOptions();
@@ -93,6 +102,17 @@
                 app.UseDeveloperExceptionPage();
             }
 
+            app.UseCors("CorsPolicy");
+
+            var identityUrl = Configuration.GetValue<string>("IdentityUrl");
+
+            app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
+            {
+                Authority = identityUrl.ToString(),
+                ScopeName = "orders",
+                RequireHttpsMetadata = false
+            });
+
 
             app.UseMvcWithDefaultRoute();
 

src/Services/Ordering/Ordering.API/project.json

@@ -27,7 +27,8 @@
     "Ordering.Domain": "1.0.0-*",
     "Ordering.Application": "1.0.0-*",
     "Ordering.Infrastructure": "1.0.0-*",
-    "System.Reflection": "4.3.0"
+    "System.Reflection": "4.3.0",
+    "IdentityServer4.AccessTokenValidation": "1.0.1-rc3"
   },
   "tools": {
     "Microsoft.EntityFrameworkCore.Tools": "1.0.0-preview2-final",

src/Services/Ordering/Ordering.API/settings.json

@@ -1,4 +1,4 @@
 {
-  //"ConnectionString": "Server=ordering.data;Database=Microsoft.eShopOnContainers.Services.OrderingDb;User Id=sa;Password=Pass@word;"
-  "ConnectionString": "Server=tcp:127.0.0.1,5432;Database=Microsoft.eShopOnContainers.Services.OrderingDb;User Id=sa;Password=Pass@word;"
+  "ConnectionString": "Server=tcp:127.0.0.1,5432;Database=Microsoft.eShopOnContainers.Services.OrderingDb;User Id=sa;Password=Pass@word;",
+  "IdentityUrl": "http://localhost:5105"
 }

src/Web/WebMVC/Controllers/OrderController.cs

@@ -47,18 +47,10 @@ namespace Microsoft.eShopOnContainers.WebMVC.Controllers
 
             if (action == "[ Place Order ]")
             {
-                try
-                {
-                    await _orderSvc.CreateOrder(user, order);
+                await _orderSvc.CreateOrder(user, order);
 
-                    //Empty basket for current user. 
-                    await _basketSvc.CleanBasket(user);
-
-                }
-                catch (Exception) {
-                    //redirect to some error page if the operation fails. 
-                    return Redirect("http://www.google.com");
-                }
+                //Empty basket for current user. 
+                await _basketSvc.CleanBasket(user);
 
                 //Redirect to historic list.
                 return RedirectToAction("Index");
@@ -75,10 +67,11 @@ namespace Microsoft.eShopOnContainers.WebMVC.Controllers
             return View(order);
         }
 
-        public IActionResult Index(Order item)
+        public async Task<IActionResult> Index(Order item)
         {
             var user = _appUserParser.Parse(HttpContext.User);
-            return View(_orderSvc.GetMyOrders(user));
+            var vm = await _orderSvc.GetMyOrders(user);
+            return View(vm);
         }
     }
 }

src/Web/WebMVC/Properties/launchSettings.json

@@ -3,7 +3,7 @@
     "windowsAuthentication": false,
     "anonymousAuthentication": true,
     "iisExpress": {
-      "applicationUrl": "http://localhost:2114/",
+      "applicationUrl": "http://localhost:5100",
       "sslPort": 0
     }
   },

src/Web/WebMVC/Services/OrderingService.cs

@@ -7,6 +7,7 @@ using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Options;
 using System.Net.Http;
 using Newtonsoft.Json;
+using Microsoft.AspNetCore.Authentication;
 
 namespace Microsoft.eShopOnContainers.WebMVC.Services
 {
@@ -15,11 +16,14 @@ namespace Microsoft.eShopOnContainers.WebMVC.Services
         private HttpClient _apiClient;
         private readonly string _remoteServiceBaseUrl;
         private readonly IOptions<AppSettings> _settings;
+        private readonly IHttpContextAccessor _httpContextAccesor;
 
-        public OrderingService(IOptions<AppSettings> settings)
+        public OrderingService(IOptions<AppSettings> settings, IHttpContextAccessor httpContextAccesor)
         {
             _remoteServiceBaseUrl = $"{settings.Value.OrderingUrl}/api/v1/orders";
             _settings = settings;
+            _httpContextAccesor = httpContextAccesor;
+
             #region fake items
             //_orders = new List<Order>()
             //{
@@ -62,7 +66,12 @@ namespace Microsoft.eShopOnContainers.WebMVC.Services
 
         async public Task<Order> GetOrder(ApplicationUser user, string Id)
         {
+            var context = _httpContextAccesor.HttpContext;
+            var token = await context.Authentication.GetTokenAsync("access_token");
+
             _apiClient = new HttpClient();
+            _apiClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);
+
             var ordersUrl = $"{_remoteServiceBaseUrl}/{Id}";
             var dataString = await _apiClient.GetStringAsync(ordersUrl);
             var response = JsonConvert.DeserializeObject<Order>(dataString);
@@ -72,12 +81,17 @@ namespace Microsoft.eShopOnContainers.WebMVC.Services
 
         async public Task<List<Order>> GetMyOrders(ApplicationUser user)
         {
+            var context = _httpContextAccesor.HttpContext;
+            var token = await context.Authentication.GetTokenAsync("access_token");
+
             _apiClient = new HttpClient();
+            _apiClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);
+
             var ordersUrl = _remoteServiceBaseUrl;
             var dataString = await _apiClient.GetStringAsync(ordersUrl);
             var response = JsonConvert.DeserializeObject<List<Order>>(dataString);
 
-            return response;
+            return response; 
         }
 
         public Order MapUserInfoIntoOrder(ApplicationUser user, Order order)
@@ -113,7 +127,12 @@ namespace Microsoft.eShopOnContainers.WebMVC.Services
 
         async public Task CreateOrder(ApplicationUser user, Order order)
         {
+            var context = _httpContextAccesor.HttpContext;
+            var token = await context.Authentication.GetTokenAsync("access_token");
+
             _apiClient = new HttpClient();
+            _apiClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);
+
             var ordersUrl = $"{_remoteServiceBaseUrl}/new";
             order.PaymentInfo.CardType = CardType.AMEX;
             OrderRequest request = MapOrderIntoOrderRequest(order);