BLOG • DIGITAL INSIGHTS
Sitefinity's built-in OData services are protected out of the box, but custom ServiceStack endpoints need explicit protection. This post shows how to use the Sitefinity Identity Server, OpenID authentication and an OWIN startup class to protect your custom API routes - for Sitefinity versions prior to 14.0.
Updated on 20.01.2022 for Sitefinity 14 compatibility.
Note: If your Sitefinity version is 14.0 or above and you are using the new Default authentication, please check the updated article.
Sitefinity provides a convenient way to consume its protected OData services from external clients such as third-party services and mobile applications. But what about our own custom services?
I recently had to provide an API to be consumed from mobile applications, accessible only to authenticated users. The client was running Sitefinity 10.2 with OpenID authentication, and I decided to delegate authentication and authorisation to Sitefinity itself.
The first step is to configure the Identity Server for external authentication. There is good documentation covering this with code examples: Request access token for calling web services.
So far so good. I added ServiceUtility.RequestBackendUserAuthentication(); to my service method - but unfortunately that alone doesn't work. Even with a successful authentication and a valid token, the user was still treated as Anonymous by Sitefinity.
After nearly a full day in JustDecompile, I finally found the answer: the service route needs to be explicitly protected by SitefinityOpenIdConnectWebApiAuthenticationMiddleware. To do this, you simply create an OWIN startup class and map the route there.
Don't forget to register the OWIN startup class in your web.config under <appSettings>:
<add key="owin:appStartup" value="SitefinityWebApp.OwinStratup" />Explore more insights and case studies from our team.