The Umbraco login works nicely and provides a Sign in with Google button on the login page which auto-links the Umbraco user to the Google account.
My react SPA is also handling the login to its admin section correctly where the user can login with Google and the JWT access token is being returned from Auth0 and then being added to the header for the protected web API calls.
But, the server side authorization of the web API calls does not seem to be handling the JWT bearer token correctly as the user on the context is null so the request is being redirected to the /Account/Login page.
When I remove Umbraco from the web app, the web API calls work fine and the JWT bearer token is being correctly handled by the server with the user being set on the context.
It seems that Umbraco is handling all authorized requests on the server including my web API calls. Is there something I need to register with Umbraco to ensure that it only authorizes Umbraco requests and leaves my existing code to handle the authroization of the protected web API calls?
I guess an alternative would be to let Umbraco be used to authorize my API calls too and then I could use custom groups in Umbraco to provide the fine-grained control over access to different parts of the API.
What changes would I need to make to my React API calls and my API controllers to let Umbraco handle the authorization?
JWT bearer token for admin section plus Umbraco login via Google
I am experimenting with a .Net core web app that has its own admin section with a login via Jwt Bearer token using Auth0 (Google authentication).
This was working fine until I added Umbraco CMS to the web app also using Google authentication for the backoffice as per this article:
https://docs.umbraco.com/umbraco-cms/tutorials/add-google-authentication
The Umbraco login works nicely and provides a Sign in with Google button on the login page which auto-links the Umbraco user to the Google account.
My react SPA is also handling the login to its admin section correctly where the user can login with Google and the JWT access token is being returned from Auth0 and then being added to the header for the protected web API calls.
But, the server side authorization of the web API calls does not seem to be handling the JWT bearer token correctly as the user on the context is null so the request is being redirected to the /Account/Login page.
When I remove Umbraco from the web app, the web API calls work fine and the JWT bearer token is being correctly handled by the server with the user being set on the context.
It seems that Umbraco is handling all authorized requests on the server including my web API calls. Is there something I need to register with Umbraco to ensure that it only authorizes Umbraco requests and leaves my existing code to handle the authroization of the protected web API calls?
I got it working by forcing my API controllers to use JWT in the Authorize attribute:
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Policy = [My Custom Policy])]
I guess an alternative would be to let Umbraco be used to authorize my API calls too and then I could use custom groups in Umbraco to provide the fine-grained control over access to different parts of the API.
What changes would I need to make to my React API calls and my API controllers to let Umbraco handle the authorization?
is working on a reply...