Skip to main content
BuyLog In
XAF: Cross-Platform .NET App UI & Web API
Search in…
Docs > Backend Web API Service > Authenticate and Authorize Web API Endpoints
All docs
V24.1
.NET Framework 4.5.2+
XAF: Cross-Platform .NET App UI & Web API
Getting Started
Installation, Upgrade, Version History
Backend Web API Service
Get Started with Web API Service
Create a Standalone Web API Application
Integrate the Web API into an Existing XAF Blazor Application
Add and Protect CRUD Web API Endpoints
Add Endpoints for Business Object Methods
Test the Web API with Swagger or Postman
Consume the Web API from .NET
Authenticate and Authorize Web API Endpoints
Configure JWT Authentication
Configure OAuth2 Azure Authentication
Create Custom Endpoints
Add Paid/Enterprise Modules
UI Shell and Base Infrastructure
Storage, ORM, and Business Model Design
Data Manipulation and Business Logic
User Interface and Behavior Customization
Data Filtering
Application Security and Data Safety
Multi-Tenancy (Data per Tenant)
Validation (Prevent Data Errors)
Conditional Appearance (Manage State of UI Elements)
Reporting (Shape, Export & Print Data)
Analytics (Extract Data Insights)
Document Management
Business Process Management
Event Planning
Localization
Accessibility Support
Debugging, Testing and Error Handling
Deployment
Support, QA & Troubleshooting
API Reference
Download CHM

Authenticate and Authorize Web API Endpoints

  • 3 minutes to read

The Web API supports all standard ASP.NET Core authentication techniques that you can specify in the MySolution.WebApi\Startup.cs (MySolution.Blazor.Server\Startup.cs) file. See the following topic for more information: Authentication.

If you use the Solution Wizard to create a Web API project, enable authentication on the Choose Security page:

Select authentication

Standard Authentication
The wizard generates JWT authentication scaffolding code for the Web API.
OAuth2 Authentication
The wizard adds the JWT and Azure AD scaffolding code to the MySolution.WebApi\appsettings.json file.
Windows Active Directory
The wizard adds the JWT scaffolding code to the MySolution.WebApi\appsettings.json file and the scaffolding code for Windows Active Directory to the MySolution.WebApi\Properties\launchSettings.json file.

See the following topics for information on how to configure the authentication scaffolding code and manually enable authentication:

Configure Authorization for Endpoints or Protect Business Object Data

You must define Security System permissions for business objects and properties you want to expose through a Web API Service (both built-in and custom endpoints). We do not recommend that you expose business object data to all users without security protection.

You can configure permissions using one of the following methods:

  • In the code of the ModuleUpdater class (look for the Updater.cs file, because there may be different locations depending on your project configuration).
  • In the administrative UI powered by XAF Blazor/WinForms (this feature requires the Universal license).

For more information, refer to the following concepts and examples:

Authenticate a User in Code

XAF supports API that you can use to access and manage application users as well as authenticate users. This API includes the following services:

UserManager
Exposes API required to manage user objects in the database.
SignInManager
Exposes API required to sign a user into an application.

The following code snippet demonstrates how to use API that the UserManager and SignInManager services expose to sign in to a nested scope and execute custom endpoint logic on a service user’s behalf (user impersonation):

using DevExpress.ExpressApp;
using DevExpress.ExpressApp.Security;
using MySolution.WebApi.BusinessObjects;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
// ...
namespace MySolution.WebApi {
    [Route("api/[controller]")]
    [ApiController]
    [Authorize]
    public class CustomEndpointController : ControllerBase {
        private readonly IServiceProvider serviceProvider;
        public CustomEndpointController(IServiceProvider serviceProvider) {
            this.serviceProvider = serviceProvider;
        }

        [HttpPost]
        public void Post([FromBody] string value) {
            // ...
            // Create a nested service scope whithin which to establish a separate login session.
            IServiceScopeFactory serviceScopeFactory = serviceProvider.GetRequiredService<IServiceScopeFactory>();
            using (IServiceScope impersonationScope = serviceScopeFactory.CreateScope()) {
                // Use the UserManager to obtain the "ServiceUser" user object.
                using IObjectSpace nonSecuredObjectSpace = impersonationScope.ServiceProvider
                    .GetRequiredService<INonSecuredObjectSpaceFactory>().CreateNonSecuredObjectSpace<ApplicationUser>();
                ApplicationUser serviceUser = impersonationScope.ServiceProvider
                    .GetRequiredService<UserManager>().FindUserByName<ApplicationUser>(nonSecuredObjectSpace, "ServiceUser");

                // Sign in as "ServiceUser" to the nested scope.
                SignInManager signInManager = impersonationScope.ServiceProvider.GetService<SignInManager>();
                signInManager.SignIn(serviceUser);

                // Obtain an Object Space from the nested scope and use this Object Space
                // to manipulate business objects on the "ServiceUser" user's behalf.
                using IObjectSpace objectSpace = impersonationScope.ServiceProvider
                    .GetRequiredService<IObjectSpaceFactory>().CreateObjectSpace<Employee>();
                Employee newEmployee = objectSpace.CreateObject<Employee>();
                newEmployee.Name = value;
                // ...
                objectSpace.CommitChanges();
                // ...
            }
        }
    }
}
See Also