Hello all
So from the CodeGarden15 Keynote Shannon & Per demoed a HAL specification side line project named UmbracoRestApi.
I have downloaded the 7.3 beta along with the identity NuGet package & UmbracoRestApi package to play with all these lovely new things & start exploring.
So I wanted to start exploring & seeing how to use the API so I logged into the Umbraco backoffice, so that I assume a cookie gets set for me so that when I goto /umbraco/rest/v1/content as listed on the GitHub project readme page. I get a 401 Unauthorised HTTP response code when using the Chrome Extension POSTMAN for API exploring.
Postman doesn't really use your cookies from your browser session... though you could copy and paste the cookie values in from your session and send them on up.
Alternatively, you can use OAuth tokens to get the job done. When you install UmbracoCms.RestApi (https://github.com/umbraco/UmbracoRestApi), it also installs the IdentityExtensions package (https://github.com/umbraco/UmbracoIdentityExtensibility) which includes a very simple auth token server.
Unfortunately when the rest api installs, it doesn't show the readme from the identity extensions package. If you have a look at the file that it's installed:
You can read through this class and change it if you need a more advanced token server (or you can use this code to create your own). You'll note that the path for the token auth is:
Note: the space between “Bearer” and the actual token in the Authorization header.
I haven't had time to write this documentation yet, but ideally this sort of stuff would be included in the file's we ship so that they are self-documenting.
Hi Shannon,
OK I have tried your steps and I have uncommented/added app.UseUmbracoBackOfficeTokenAuth(); in my OWIN Startup class
This calls the extension class in App_Start folder UmbracoAuthTokenServerExtensions.cs
I can see the example code as is with most of it commented out, just authorises the user or says this a valid request without checking the username & password. However I get an exception rather than a JSON blob when doing the POST to the /umbraco/oauth/token endpoint
To help explain whats going on & how I have this setup I recorded a quick screencast to make life easier. As you may be able to spot very quickly where I have gone wrong or forgotten to configure or set something up.
Firstly, the code DOES validate username/password. The commented out code that you were looking at is if you want to extend/enhance any functionality, you don't need to change anything there unless you need more functionality. We ship it as-is and it works... but it's just a very basic auth token server. All of that is part of ASP.Net Identity.
I'll install a new version of Umbraco 7.3 and see what happens.
Ah OK from what I understood from the comments & the example code further down I was under the impression that all requests with any username or password was authenticating.
So some clearer notes & comments in these files may be helpful to avoid confusion of what to uncomment or not.
For reference I was trying an invalid username & password, and I would assume I get some kind of response back even a 401 HTTP Status Code of Unauthorised.
using Microsoft.Owin;
using Owin;
using Umbraco.Core;
using Umbraco.Core.Security;
using Umbraco.RestApi;
using Umbraco.Web.Security.Identity;
using Umbraco.IdentityExtensions;
using UmbracoPlayground;
//To use this startup class, change the appSetting value in the web.config called
// "owin:appStartup" to be "CustomUmbracoOwinStartup"
[assembly: OwinStartup("UmbracoCustomOwinStartup", typeof(UmbracoCustomOwinStartup))]
namespace UmbracoPlayground
{
/// <summary>
/// A custom way to configure OWIN for Umbraco
/// </summary>
/// <remarks>
/// The startup type is specified in appSettings under owin:appStartup - change it to "CustomUmbracoStartup" to use this class
///
/// This startup class would allow you to customize the Identity IUserStore and/or IUserManager for the Umbraco Backoffice
/// </remarks>
public class UmbracoCustomOwinStartup
{
public void Configuration(IAppBuilder app)
{
//Configure the Identity user manager for use with Umbraco Back office
// (EXPERT: an overload accepts a custom BackOfficeUserStore implementation)
app.ConfigureUserManagerForUmbracoBackOffice(
ApplicationContext.Current,
MembershipProviderExtensions.GetUsersMembershipProvider().AsUmbracoMembershipProvider());
//Ensure owin is configured for Umbraco back office authentication
app.UseUmbracoBackOfficeCookieAuthentication(ApplicationContext.Current);
app.UseUmbracoBackOfficeExternalCookieAuthentication(ApplicationContext.Current);
app.ConfigureBackOfficeGoogleAuth(
"903993111999-i8em676kego06771hn7foooooooooBaaaaar.apps.googleusercontent.com",
"L46oZKTgwJCNNmsrmuVDLrSr");
app.UseUmbracoBackOfficeTokenAuth();
/*
* Configure external logins for the back office:
*
* Depending on the authentication sources you would like to enable, you will need to install
* certain Nuget packages.
*
* For Google auth: Install-Package UmbracoCms.IdentityExtensions.Google
* For Facebook auth: Install-Package UmbracoCms.IdentityExtensions.Facebook
* For Microsoft auth: Install-Package UmbracoCms.IdentityExtensions.Microsoft
* For Azure ActiveDirectory auth: Install-Package UmbracoCms.IdentityExtensions.AzureActiveDirectory
*
* There are many more providers such as Twitter, Yahoo, ActiveDirectory, etc... most information can
* be found here: http://www.asp.net/web-api/overview/security/external-authentication-services
*
* For sample code on using external providers with the Umbraco back office, install one of the
* packages listed above to review it's code samples
*
*/
/*
* To configure a simple auth token server for the back office:
*
* By default the CORS policy is to allow all requests
*
* app.UseUmbracoBackOfficeTokenAuth(new BackOfficeAuthServerProviderOptions());
*
* If you want to have a custom CORS policy for the token server you can provide
* a custom CORS policy, example:
*
* app.UseUmbracoBackOfficeTokenAuth(
* new BackOfficeAuthServerProviderOptions()
* {
* //Modify the CorsPolicy as required
* CorsPolicy = new CorsPolicy()
* {
* AllowAnyHeader = true,
* AllowAnyMethod = true,
* Origins = { "http://mywebsite.com" }
* }
* });
*/
}
}
}
"UmbracoStandardOwinStartup" = use this unless you are doing EXPERT things like customizing the BackOfficeUserStore or user manager, otherwise you need to use "UmbracoCustomOwinStartup" ... that is the ONLY difference
UmbracoRestApi project - How do I authorise?
Hello all
So from the CodeGarden15 Keynote Shannon & Per demoed a HAL specification side line project named UmbracoRestApi.
I have downloaded the 7.3 beta along with the identity NuGet package & UmbracoRestApi package to play with all these lovely new things & start exploring.
So I wanted to start exploring & seeing how to use the API so I logged into the Umbraco backoffice, so that I assume a cookie gets set for me so that when I goto /umbraco/rest/v1/content as listed on the GitHub project readme page. I get a 401 Unauthorised HTTP response code when using the Chrome Extension POSTMAN for API exploring.
I equally get the same result when browsing to the same URL endpoint using the HAL browser that was demoed in the keynote here - http://haltalk.herokuapp.com/explorer/browser.html
So if anyone can give me some pointers on this project so I can start playing & exploring please that would be fantastic :)
Cheers,
Warren
Postman doesn't really use your cookies from your browser session... though you could copy and paste the cookie values in from your session and send them on up.
Alternatively, you can use OAuth tokens to get the job done. When you install UmbracoCms.RestApi (https://github.com/umbraco/UmbracoRestApi), it also installs the IdentityExtensions package (https://github.com/umbraco/UmbracoIdentityExtensibility) which includes a very simple auth token server.
Unfortunately when the rest api installs, it doesn't show the readme from the identity extensions package. If you have a look at the file that it's installed:
/AppStart/UmbracoStandardOwinStartup.cs (there's also a 'Custom' startup one too). If you read through all of the notes it tells you how to enable the auth server at the bottom. Here's a ref: https://github.com/umbraco/UmbracoIdentityExtensions/blob/master/src/Umbraco.IdentityExtensions/AppStart/UmbracoStandardOwinStartup.cs.pp#L50
You probably don't need to use a custom CORS policy at all, the default (without specifying one) will work in most cases. Then you can have a look at the file called UmbracoAuthTokenServerExtensions.cs (ref here: https://github.com/umbraco/UmbracoIdentityExtensions/blob/master/src/Umbraco.IdentityExtensions/App_Start/UmbracoAuthTokenServerExtensions.cs.pp)
You can read through this class and change it if you need a more advanced token server (or you can use this code to create your own). You'll note that the path for the token auth is:
/umbraco/oauth/token
Here's a cURL example of calling this endpoint:
curl -X POST -H "Accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -d 'grant_type=password&username=admin&password=test' http://localhost:7300/umbraco/oauth/tokenThe response will look something like (example, the token will be much larger):
{"access_token":"123456789456789456789","token_type":"bearer","expires_in":86399}Then when you make a request to an Umbraco resource you include the Authorization header with the access_token, here’s a cURL example:
curl -X GET -H "Accept: application/json, text/plain, */*" -H "Authorization: Bearer 123456789456789456789" -H "Cache-Control: no-cache" http://localhost:7300/umbraco/backoffice/UmbracoApi/Content/GetById?id=2168Note: the space between “Bearer” and the actual token in the Authorization header.
I haven't had time to write this documentation yet, but ideally this sort of stuff would be included in the file's we ship so that they are self-documenting.
Hi Shannon,
OK I have tried your steps and I have uncommented/added
app.UseUmbracoBackOfficeTokenAuth();in my OWIN Startup classThis calls the extension class in App_Start folder UmbracoAuthTokenServerExtensions.cs
I can see the example code as is with most of it commented out, just authorises the user or says this a valid request without checking the username & password. However I get an exception rather than a JSON blob when doing the POST to the /umbraco/oauth/token endpoint
To help explain whats going on & how I have this setup I recorded a quick screencast to make life easier. As you may be able to spot very quickly where I have gone wrong or forgotten to configure or set something up.
https://www.youtube.com/watch?v=ZQf5XRGEot0
Cheers,
Warren
Firstly, the code DOES validate username/password. The commented out code that you were looking at is if you want to extend/enhance any functionality, you don't need to change anything there unless you need more functionality. We ship it as-is and it works... but it's just a very basic auth token server. All of that is part of ASP.Net Identity.
I'll install a new version of Umbraco 7.3 and see what happens.
Ah OK from what I understood from the comments & the example code further down I was under the impression that all requests with any username or password was authenticating.
So some clearer notes & comments in these files may be helpful to avoid confusion of what to uncomment or not.
For reference I was trying an invalid username & password, and I would assume I get some kind of response back even a 401 HTTP Status Code of Unauthorised.
Thanks for the help.
Did you update the
owin:appStartupto point at the new Identity base class?I had to change it to be
UmbracoStandardOwinStartupand uncommented this line:Yes Aaron, mine is as follows:
And my web.config appsetting is as follows:
Also, looking at the postman call you made I noticed you didn't provide the
client_id.Here's my postman sample:
I tried the client_id being set to umbraco, I still get the same exception as follows:
I haven't tried with
UmbracoCustomOwinStartupyet, I've only usedUmbracoStandardOwinStartupwhich inherits fromUmbracoDefaultOwinStartup. See here.Interesting if I switch to using
UmbracoStandardOwinStartupthis then works fine. Is it not possible to use theCustomOwinStartupShannon?As would like to use the Google Identity Login & experiment with the new RESTApi bits too.
Can you offer a solution or advice on how to make this work in the
CustomOwinStartupclass?Obviously this is a bug
Here is the readme that explains the difference between the 2 startup classes :
https://github.com/umbraco/UmbracoIdentityExtensions/blob/master/build/Readme.txt
There's also some docs in the classes about what these do:
https://github.com/umbraco/UmbracoIdentityExtensions/blob/master/src/Umbraco.IdentityExtensions/App_Start/UmbracoCustomOwinStartup.cs.pp#L22
To recap:
"UmbracoStandardOwinStartup" = use this unless you are doing EXPERT things like customizing the BackOfficeUserStore or user manager, otherwise you need to use "UmbracoCustomOwinStartup" ... that is the ONLY difference
Not sure if it's a bug or if it's something in Warren's install as I was able to use the
CustomOwinStartupwith no problem myself.Yeh I am no way an expert, just hacking around trying to figure out what the hell I should be doing :-P
Thanks for the help guys!
This is the class that you said isn't documented very clearly:
https://github.com/umbraco/UmbracoIdentityExtensions/blob/master/src/Umbraco.IdentityExtensions/App_Start/UmbracoAuthTokenServerExtensions.cs.pp
Happy to accept a PR to make it more clear if you don't think that it is clear enough but IMO there is quite a lot of detail there
Can you also create an issue on the github tracker for identity extensions describing the issue when using the UmbracoCustomOwinStartup ?
https://github.com/umbraco/UmbracoIdentityExtensions/issues
Off to create an issue....
https://github.com/umbraco/UmbracoIdentityExtensions/issues/3
is working on a reply...