Querying the Management API - authentication

skartknet · May 7, 2025, 11:27pm

Hi all, I’m creating a Vue app in the frontend that queries some endpoints of the Management API. Is that considered and ‘external application’ in regards to the documentation on how to authenticate?

I want the app to get access to the API only if a backend user is logged in and has the right permissions. Do I still need, as per the docs to create an API user? Can’t I use somehow the user’s credentials?

jacob · May 8, 2025, 6:24am

Normal Backoffice users require a manual login; that is to say, the user must manually type in the username and password. Depending on your intended flow, an API user might be easier as it only requires a static API key.

However, if you want a normal login, you must register an extra OpenID provider (with a client_id and redirect_url) that will redirect you back to the website frontend after a successful login.

Take a look here in the source code where Postman and Swagger UI are registered as allowed providers:

github.com/umbraco/Umbraco-CMS

src/Umbraco.Cms.Api.Management/Security/BackOfficeApplicationManager.cs

45148f22a


      
          await CreateOrUpdate(
              DeveloperOpenIddictApplicationDescriptor(
                  "Umbraco Swagger access",
                  Constants.OAuthClientIds.Swagger,
                  backOfficeHostsAsArray.Select(backOfficeUrl => CallbackUrlFor(backOfficeUrl, "/umbraco/swagger/oauth2-redirect.html")).ToArray()),
              cancellationToken);
          
          await CreateOrUpdate(
              DeveloperOpenIddictApplicationDescriptor(
                  "Umbraco Postman access",
                  Constants.OAuthClientIds.Postman,
                  [new Uri("https://oauth.pstmn.io/v1/callback"), new Uri("https://oauth.pstmn.io/v1/browser-callback")]),
              cancellationToken);

skartknet · May 8, 2025, 11:44pm

Hi Jacob. Not sure if I understand your approach . So the issue is that I would like to show an editor in the frontend only to logged in users. I was hoping that I can use the logged in user’ credentias to also query the management API.

So I don’t want to add a custom login process, which is what I understand from your reponse.

update: actually I think I was approaching the problem from the wrong direction. I can just display what I want using Razor instead of Vue.

update 2: which takes me to my next question. On Umbraco 13 we have the UmbracoAuthorizedApiController which is deprecated on v14. Does that mean that all the request need to be done through the Management API, which means we need to use API users?

jacob · May 9, 2025, 5:59am

Your users have to log in somehow, and you need to obtain their access_token after the fact. You can send them to the login screen like normal, but they would end up in the Backoffice afterwards. If you register your own OpenId descriptor, you can set the allowed redirect URL to be back to your frontend. That was my approach.

Great if you can show things with Razor instead. The equivalent to the UmbracoAuthorizedApiController would be ManagementApiControllerBase and an added Authorize filter, like so:

[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
public class MyControllerBase : ManagementApiControllerBase
{}

That hooks your controller up to the .NET authentication, and you can query them using the Backoffice access_token or the token from an API User.

skartknet · May 10, 2025, 5:29am

Awesome, I made it work! Thanks for your help

skartknet · May 10, 2025, 9:00pm

Now I have another question. I’m using the backoffice access_token (taken from localStorage) and all works well, but when it expires, I need to navigate to the backoffice for the token to be re-issued.

I’m trying to use the refresh token in the localStorage that is stored along the access token, but I keep getting a 400. I’m posting the refresh token to the /umbraco/management/api/v1/security/back-office/token endpoint; is that the right enpoint? Is this the right way of getting a new access token?