How to authorise front-end members for API access?
I have some REST API endpoints that I want members to be able to consume from their own apps. I want access to these endpoints to be limited to specific groups of members.
The standard approach to this is to use an OAuth log-in flow. I can find old tools to do this like umbraco-authu but searching through the forum history this seems to have changed in Umbraco 9+.
As far as I can gather this is now built-in to Umbraco, but I can't find any documentation to show where it is built-in or examples of how I can use it. I can see how it can be used in the back-end but I can't figure out how to use it for members.
To be absolutely clear:
I am using Umbraco 10.
I want to use Oauth to log in Members on the front end, not users in the back end.
I want to use my Umbraco application as the membership provider, not a third party platform.
I want users to be able to log in entirely through the API and retrieve a token they can use to authorise future API requests.
Thanks for this. I think this might be what I need to ensure the endpoints are restricted to members, but I can't see from the documentation (this is the most helpful thing I've found so far) how I can use an API auth flow to log in. I don't know if there is some built-in headerless authentication endpoint to will allow me to create a JWT token that will just work with this filter, or whether I need to roll my own.
I'm working my way through using the AspNetCore.Authentication libraries but if there's some simple way of configuring it in, or something already provided by Umbraco that I can't find the documentation for, I'd love to hear about it.
How to authorise front-end members for API access?
I have some REST API endpoints that I want members to be able to consume from their own apps. I want access to these endpoints to be limited to specific groups of members.
The standard approach to this is to use an OAuth log-in flow. I can find old tools to do this like
umbraco-authu
but searching through the forum history this seems to have changed in Umbraco 9+.As far as I can gather this is now built-in to Umbraco, but I can't find any documentation to show where it is built-in or examples of how I can use it. I can see how it can be used in the back-end but I can't figure out how to use it for members.
To be absolutely clear:
What do I need to do to get this working?
Hi Glenatron
Is it the UmbracoMemberAuthorizeFilter you are after?
https://github.com/umbraco/Umbraco-CMS/blob/1d14158d82ce5d9e3ed9766e8e11faddb455be19/src/Umbraco.Web.Common/Filters/UmbracoMemberAuthorizeFilter.cs#L16
so you can decorate UmbracoAPIController endpoints and restrict by MemberType, MemberGroup or a list of Members???
regards
Marc
Thanks for this. I think this might be what I need to ensure the endpoints are restricted to members, but I can't see from the documentation (this is the most helpful thing I've found so far) how I can use an API auth flow to log in. I don't know if there is some built-in headerless authentication endpoint to will allow me to create a JWT token that will just work with this filter, or whether I need to roll my own.
I'm working my way through using the AspNetCore.Authentication libraries but if there's some simple way of configuring it in, or something already provided by Umbraco that I can't find the documentation for, I'd love to hear about it.
I couldn't find a built-in approach for doing this - which doesn't mean there isn't one - so I got it working using the approach documented in this article: https://www.codemag.com/Article/2105051/Implementing-JWT-Authentication-in-ASP.NET-Core-5
I create a my authorize controller.
is working on a reply...