Custom Login module can call IUserService.GetUserAsync and AddUserAsync, but is 403 forbidden to call UpdateUserAsync #4247
-
Following on from #4220, I am creating a custom Login module that authenticates against an external auth system. The basic idea is to check credentials against the external auth system, get back user details (name etc), then create/update a matching Oqtane user (with a random complex pwd, because not guaranteed that the given pwd will meet Oqtane standards), then log this user into Oqtane. The call to IUserService.GetUserAsync and AddUserAsync work fine. However, the call to UpdateUserAsync fails with 403 Forbidden. Is this inconsistency a bug, or by design, or is there something I can do to grant the module permission to make this call? One more question - AddUserAsync works, but only if I turn on user registration in site settings. I would rather not have it turned on to avoid any chance that users self-register (e.g. a site admin puts the regular Login module on an accessible page) ... is there another way to add users programatically (I guess I could make my own API that adds via the user repository ... just wondering if there is a quick way)? Log details for UpdateUserAsync failure: |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
@lanthonyneville this is by design - the Oqtane API must be secure by default. If you need to bypass the default security for your specific use case you will need to create your own API Controllers in your module which calls UserManager. |
Beta Was this translation helpful? Give feedback.
@lanthonyneville this is by design - the Oqtane API must be secure by default. If you need to bypass the default security for your specific use case you will need to create your own API Controllers in your module which calls UserManager.