Use Sitefinity Identity server and ServiceStack to create protected services
Sitefinity provides a convenient way for consuming its protected Odata services from external clients (3rd party services, mobile applications, etc.), but what about our custom services?
Recently I had to provide an API which will be consumed from mobile applications and only from authenticated users. The client uses Sitefinity 10.2 with OpenId authentication and I decided to leave the authentication and authorization to Sitefinity itself.
The first step is to configure the Identity Server for an external authentication. There is a nice documentation for this and includes code examples:
https://www.progress.com/documentation/sitefinity-cms/request-access-token-for-calling-web-services
So far so good. I’ve added ServiceUtility.RequestBackendUserAuthentication(); to my service method, but unfortunately that doesn’t work. Even with successful authentication and a valid token, the user still was Anonymous for Sitefinity.
After almost whole day spent in JustDecompile finally I’ve found that the service’s route needed to be explicitly protected by SitefinityOpenIdConnectWebApiAuthenticationMiddleware.
For this you just need to create an Owin startup class and map the route there.
! Don’t forget to add it to the <appSettings /> in web.config:
<add key="owin:appStartup" value="SitefinityWebApp.OwinStratup" />
NOTE: If your Sitefinity version is 14.0 and above and you are using the new Default authentication, please be sure to
check the updated article.