Content Delivery API - 401 unauthorized


I'm in the middle of a project to convert our CMS site to use OIDC/OAUTH for authentication/authorization.  So far authentication to the CMS as a user works as expected but I'm running into trouble when I try to secure the Content Delivery API.

I've setup our Azure AD App to include a "ContentApiRead" role claim (type=application) for client_credentials grant type.  I've added a "ContentApiRead" role (mapped role) in the virtual roles section of the web config.  I also overridden the "GetAllRoles" method as suggested here: Content Delivery API and Azure AD | Episerver Developer Community

Finally, I've granted access to "ContentApiRead" to the root of our site.

I can successfully call the api if I disable the minimum role requirement (SetMinimumRoles(string.Empty)) in the ContentDeliveryApiInitialization module but if I use the default config or specify the minmum role as "ContentApiRead" I get a 401 Unauthorized response; I'm passing the access token in the header prefixed with "Bearer".  I get this if I make the call from Postman or a C# console app.

I'm probably missing something really simple but I've spent hours trying to figure it out and can't get it to work.  Help would be greatly appreciated.

UPDATE - 12/18/2020

It turns out that Azure AD is not returning the "ContentApiRead" role in the token.  After inspecting the token, the only role getting returned is:

roles: [

I am going to try to figure out the Azure AD thing but I thought I would check to see if I could add the "Directory.Read.All" role to controll access so I added the following:

web.config (virtualRoles section): <add name="Directory.Read.All" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="Directory.Read.All" mode="Any" />
And I also added the following:
context.Services.Configure<ContentApiConfiguration>(config =>
Finally, I set permissions to the root of the content tree to add "read" for the "Directory.Read.All" role.  Unfortunately, I still get the 401 unauthorized response.
UPDATE - 12/18/2020 -2
Solved the Azure issue by calling the v1 (instead of v2.0) endpoint and the ContentApiRead role is not returned in the roles.  Unfortuantely, still getting 401.
Edited, Dec 18, 2020 2:33

I believe the CD API-packages are totally unaware of your Azure AD even if you have it hooked up for regular authentication.

You need to validate the token your self if you want to use Bearer token auth... Something like in my blog post here:

You should also remove the OAuth-package for CD API if you have those installed.

You can also ignore those headers and instead just use the cookie security in place for the current user which I think is the way the article you refer to is meant to work.

Jan 11, 2021 15:45

Thank you Johan.  Your suggestion, slightly modified, was exactly what I needed.

Feb 11, 2021 16:17
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.