Anonymous Access

Vote:
 

According to the documentation (https://world.episerver.com/documentation/developer-guides/content-delivery-api/getting-started/quick-start/) setting 

context.Services.Configure<ContentApiConfiguration>(config =>
		{
			config.Default()
				.SetMinimumRoles(string.Empty)
				.SetSiteDefinitionApiEnabled(true);
		});

should allow anonymous calls to the content delivery api.

I am testing this in an Alloy sample site, and I still get access denied.

But if I add .SetRequiredRole(string.Empty), which I though targeted commerce catalog, it works as expected. 

context.Services.Configure<ContentApiConfiguration>(config =>
            {
                config.Default()
                        .SetMinimumRoles(String.Empty)
                        .SetRequiredRole(String.Empty)
                        .SetSiteDefinitionApiEnabled(true);

            });

Is the documentation outdated or am I missing something?

#256305
Jun 09, 2021 7:22
Vote:
 

Hi Mari,

It is documented that the default required role is by default set to "contentapiread", so that is why you need to set it to "string.Empty".

Its documented there: https://world.episerver.com/documentation/developer-guides/content-delivery-api/getting-started/configuration/#MapRequiredRole

#256588
Jun 14, 2021 16:01
Vote:
 

Yes, I get that.

But as you can see from my post above, setting 

.SetMinimumRoles(string.Empty)

does not work when trying to allow anonymous access.

#256591
Jun 14, 2021 17:36
Vote:
 

Hi Mari,

Which NuGet packages of content delivery API are you using?

I had an old project that was using 2.10.0 of EPiServer.ContentDeliveryApi.Cms and EPiServer.ContentDeliveryApi.Core with this config:

config.Default()
   .SetMinimumRoles(string.Empty)
   .SetMultiSiteFilteringEnabled(false)
   .SetRequiredRole("contentapiread")
   .SetSiteDefinitionApiEnabled(true)
   .SetIncludeNullValues(false)
   .SetIncludeMasterLanguage(false)
   .SetFlattenPropertyModel(true)
   .SetValidateTemplateForContentUrl(false);

And without setting access rights for "contentapiread" and it worked as documented (calling /api/episerver/v3/site and /api/episerver/v2.0/content/5/children)

Updated to EPiServer.ContentDeliveryApi.Cms 2.19.0 version and EPiServer.ContentDeliveryApi.Core 2.20.0 version, still worked the same.

If I remove the "SetMinimumRoles(string.Empty)", i will get episerver login in response.

Also note that I have not added the virtual role "contentapiread" to virtualRoles in episerver.framework section as instructed in the configuration guide, if I add it with mapping to only "webeditors" I will get empty array results when trying to get for example children of startpage. So by any chance have you added a virtual role?

What tool are you using to test the API? Postman?

#256592
Jun 14, 2021 19:38
Vote:
 

I am using version 2.19.0. I have not added a virtual role, and I am using Postman.

So if you change your config to this - what happens then?

config.Default()
   .SetMinimumRoles(string.Empty)
   .SetSiteDefinitionApiEnabled(true);
#256658
Jun 15, 2021 19:23
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.