Hi, but of a big ask this one - but wondering if anyone can give me pointers on using Authentication with your own controllers and the new backoffice ? I have a (very nearly) working demo of a dashboard, using a context, and repository, and a datastore and a openapi generated resource to talk to a newly constructed API (using the management api structures, showing its own swagger) to get some simple info from the server (in my case here, time and date as strings). https://github.com/KevinJump/TimeDashboard/tree/master this works !! when the

[Authorize(Policy = "New" + AuthorizationPolicies.BackOfficeAccess)]

tag is removed from the controller (so it has no auth!). put it on, and the dashboard, does 'your session has expired' I have gone down the road of replicating some of the extra swagger stuff from the core, https://github.com/KevinJump/TimeDashboard/blob/master/TimeDashboard.Client/Configuration/ConfigureSwaggerGenOptions.cs (replacing the filters with ones that look for 'time' instead of 'management' for the API) but i suspect i am either missing something obvious, or this isn't the way to do this. anyone, any clues ? https://cdn.discordapp.com/attachments/1201903877721698395/1201903878304714783/image.png?ex=65cb8336&is=65b90e36&hm=61812c01435b7be7c7e3caf50ff9c27311838a80170d47d6158af10249b1c541&

You need to add the policy in the application: https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-8.0

thanks, will take a look, can't i piggy back on the existing polcieis for the backoffice ? you do need some of the sec stuff on swagger though? because it changes whats generated by the OpenAPI command line (noticed the 401 line appearing and disappearing as i've been messing with the config.

I'm guessing you need some sort of login / antiforgery token from the core on the frontend. I know in the old backoffice, the

$http

service was loaded with an antiforgery token by the core. I would guess there is something similar in the new backoffice?

yeah - I've been looking in all the source code for v14 (front end and backend) for something like that but i can't see anything 😞

I found something about an auth context here in the source: https://github.com/umbraco/Umbraco.CMS.Backoffice/blob/88d5dedc0ff48c6238110486a6a67c5f0af62528/src/shared/auth/auth.context.ts#L71

Yes thanks, that sent me off down the right track 🎉 The Auth context is used to set the token on the OpenAPI configuration in the main umbraco application, and any requests coming from that code then use the token. The issue is you need to generate your own code from your own OpenAPI schema, and when you do that, the code generates a new set of core files including your own OpenApi configuration 🫣 so what you need to to is use the auth to set the token on your own configuration. here (and it will be put somewhere public) . for reference: consume the auth context, and set the token on your own OpenApi configuration

ts
this.consumeContext(UMB_AUTH_CONTEXT, (_auth) => {
    OpenAPI.TOKEN = ()=> _auth.getLatestToken();
    OpenAPI.WITH_CREDENTIALS = true;
});

then this all works with the 'standard` Polices (no need to create your own etc)

awesome!!

bookmarks this thread for future reference This is a documentation worthy questions!

@Kevin Jump glad you were able to figure it out... We have been contemplating if we should let out

OpenAPI

object be generally available to use for your own controllers. That would work if you use the same generator as we do in the backoffice source. Then we'd already have configured it globally for you. If you use another generator, or you use something like the named API option from ours, or maybe you want to make a standard Fetch request, you can always consume

UMB_AUTH_CONTEXT

and call the

getLatestToken()

method.

Documentation (like properly written with *real *words) isn't my strength. - but I've put the whole process for getting the frontend talking to the backend in this set of posts https://dev.to/kevinjump/series/26248

I was just thinking we make our OpenAPI object available on window.umbraco.OpenAPI and in your code, you do something like:

OpenAPI = window.umbraco.OpenAPI

and you would have the baseURL and token set up for you

Ahh ... thanks ! i just found that, and yes it would be better if the whole OpenApi config was public (even if there was an authContext

getOpenApiConfig

or something) because then i could get it from there and if the method for calculating the base url ever changed in the core i would be using the same value. 👍

indeed

yes 👍

Actually if you have time at some point, Kevin, would you test if that works?

js
import { OpenAPI } from './your-own-generated-code'
import { OpenAPI as umbracoOpenAPI } from '@umbraco-cms/backoffice/backend-api'

OpenAPI = umbracoOpenAPI

I can't find it in umbraco-cms/backoffice/backend-api, but i did get it from

@umbraco-cms/backoffice/external/backend-api

? anyway, you can't assign it 😦 https://cdn.discordapp.com/attachments/1201903877721698395/1202195037287616542/image.png?ex=65cc9260&is=65ba1d60&hm=c55edd1522dcc0c543e5a4225334df01e964fdaf9f80293cc6d87927fc2e7096&

you are right, it's exported through external/backend-api

yeah - i think getting them through the context seems like the right way, its a pity the gen tool can't be told to import the config from somewhere diffrent - that would be a good solution, i might see what would be involed in a PR for that.

yeah in a non-module context the OpenAPI object is just a global object available on the window, so any generated resources be it ours or yours use it automatically, but es modules are scoped and won't leak it automatically so you have to overwrite it somehow

FYI: an easy link for if you don't have a Discord install near you: https://discord-chats.umbraco.com/t/16356022/solved-v14-using-custom-authenticated-controllers-with-the-n