Use Sitefinity Identity server and ServiceStack to create protected services

Updated on 20.01.2022 for Sitefinity 14 compatibility

Sitefinity provides a convenient way for consuming its protected Odata services from external clients (3rd party services, mobile applications, etc.), but what about our custom services?

Recently I had to provide an API which will be consumed from mobile applications and only from authenticated users. The client uses Sitefinity 10.2 with OpenId authentication and I decided to leave the authentication and authorization to Sitefinity itself.

The first step is to configure the Identity Server for an external authentication. There is a nice documentation for this and includes code examples:

So far so good. I’ve added ServiceUtility.RequestBackendUserAuthentication(); to my service method, but unfortunately that doesn’t work. Even with successful authentication and a valid token, the user still was Anonymous for Sitefinity.
After almost whole day spent in JustDecompile finally I’ve found that the service’s route needed to be explicitly protected by SitefinityOpenIdConnectWebApiAuthenticationMiddleware.

For this you just need to create an Owin startup class and map the route there. 

! Don’t forget to add it to the <appSettings /> in web.config:

<add key="owin:appStartup" value="SitefinityWebApp.OwinStratup" />

NOTE: If your Sitefinity version is 14.0 and above and you are using the new Default authentication, please be sure to check the updated article.