Skip to main content
All docs
V24.2

Authenticate and Authorize Web API Endpoints

  • 3 minutes to read

The Web API supports all standard ASP.NET Core authentication techniques that you can specify in the MySolution.WebApi\Startup.cs (MySolution.Blazor.Server\Startup.cs) file. See the following topic for more information: Authentication.

If you use the Solution Wizard to create a Web API project, enable authentication on the Choose Security page:

Select authentication

Standard Authentication
The wizard generates JWT authentication scaffolding code for the Web API.
OAuth2 Authentication
The wizard adds the JWT and Azure AD scaffolding code to the MySolution.WebApi\appsettings.json file.
Windows Active Directory
The wizard adds the JWT scaffolding code to the MySolution.WebApi\appsettings.json file and the scaffolding code for Windows Active Directory to the MySolution.WebApi\Properties\launchSettings.json file.

See the following topics for information on how to configure the authentication scaffolding code and manually enable authentication:

Configure Authorization for Endpoints or Protect Business Object Data

You must define Security System permissions for business objects and properties you want to expose through a Web API Service (both built-in and custom endpoints). We do not recommend that you expose business object data to all users without security protection.

You can configure permissions using one of the following methods:

  • In the code of the ModuleUpdater class (look for the Updater.cs file, because there may be different locations depending on your project configuration).
  • In the administrative UI powered by XAF Blazor/WinForms (this feature requires the Universal license).

For more information, refer to the following concepts and examples:

Authenticate a User in Code

XAF supports API that you can use to access and manage application users as well as authenticate users. This API includes the following services:

UserManager
Exposes API required to manage user objects in the database.
SignInManager
Exposes API required to sign a user into an application.

The following code snippet demonstrates how to use API that the UserManager and SignInManager services expose to sign in to a nested scope and execute custom endpoint logic on a service user’s behalf (user impersonation):

using DevExpress.ExpressApp;
using DevExpress.ExpressApp.Security;
using MySolution.WebApi.BusinessObjects;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
// ...
namespace MySolution.WebApi {
    [Route("api/[controller]")]
    [ApiController]
    [Authorize]
    public class CustomEndpointController : ControllerBase {
        private readonly IServiceProvider serviceProvider;
        public CustomEndpointController(IServiceProvider serviceProvider) {
            this.serviceProvider = serviceProvider;
        }

        [HttpPost]
        public void Post([FromBody] string value) {
            // ...
            // Create a nested service scope whithin which to establish a separate login session.
            IServiceScopeFactory serviceScopeFactory = serviceProvider.GetRequiredService<IServiceScopeFactory>();
            using (IServiceScope impersonationScope = serviceScopeFactory.CreateScope()) {
                // Use the UserManager to obtain the "ServiceUser" user object.
                using IObjectSpace nonSecuredObjectSpace = impersonationScope.ServiceProvider
                    .GetRequiredService<INonSecuredObjectSpaceFactory>().CreateNonSecuredObjectSpace<ApplicationUser>();
                ApplicationUser serviceUser = impersonationScope.ServiceProvider
                    .GetRequiredService<UserManager>().FindUserByName<ApplicationUser>(nonSecuredObjectSpace, "ServiceUser");

                // Sign in as "ServiceUser" to the nested scope.
                SignInManager signInManager = impersonationScope.ServiceProvider.GetService<SignInManager>();
                signInManager.SignIn(serviceUser);

                // Obtain an Object Space from the nested scope and use this Object Space
                // to manipulate business objects on the "ServiceUser" user's behalf.
                using IObjectSpace objectSpace = impersonationScope.ServiceProvider
                    .GetRequiredService<IObjectSpaceFactory>().CreateObjectSpace<Employee>();
                Employee newEmployee = objectSpace.CreateObject<Employee>();
                newEmployee.Name = value;
                // ...
                objectSpace.CommitChanges();
                // ...
            }
        }
    }
}
See Also