Require authentication

In many APIs, all endpoints require authentication. In others, there may be a mix of protected and unprotected (anonymous) endpoints. These examples show you how to do both.

Require authentication for a specific route

If you want the user to only have access to a route if they are signed in, require authentication for just those routes.

• ASP.NET
• ASP.NET Core 2.x
• ASP.NET Core 3.x
• Go
• Node Express
• PHP
• Spring Boot

Use the [Authorize] attribute on controllers or actions to require a signed-in user:

public class MessagesController : Controller
{
    [HttpGet]
    [Route("~/api/messages")]
    [Authorize]
    public JsonResult Get()
    {
        return Json(new
        {
            messages = new dynamic[]
            {
                new { Date = DateTime.Now, Text = "This endpoint is protected." },
                new { Date = DateTime.Now, Text = "Hello, world!" },
            },
        });
    }
}

Require authentication for everything

For some applications, you may want to require the user to be authenticated for all routes.

• ASP.NET
• ASP.NET Core 2.x
• ASP.NET Core 3.x
• Go
• Node Express
• PHP
• Spring Boot

To require authentication for all actions, you can create an authorization policy to be used everywhere:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc(o =>
    {
        var policy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser()
            .Build();
        o.Filters.Add(new AuthorizeFilter(policy));
    });
}

Or you can opt to create a BaseProtectedController and make all of your controllers inherit from it:

[Authorize]
public abstract class BaseProtectedController : Controller
{
    // ...
}

For those actions/controllers that need to be accessible for non-authenticated users, you have to decorate them with the AllowAnonymous attribute.

Next: Configure CORS