Alternative autentication

Mika_Koistinen · May 28, 2026, 8:29am

Hi,
I have endpoint returning product imag. End point interface has [ Authorize, AuthorizeScopes( 'myscopes' ) ]

I don’t wan’t it to be open to public but I need to expose that to clients which access it using token as query parameter.
I tried to use jWtMiddleware.OnForbidRequest to set ForBid :=false but it didn’t affect.

Is the any other way than declared other endpoint which requires token always?

wlandgraf · May 29, 2026, 12:55pm

Hi @Mika_Koistinen, it's not clear to me what you want to achieve?

If you want the endpoint to be protected and accessible only to authenticated requests (requests providing a token via Authorization header), then indeed you should use the Authorize (or any other Authorize*) attribute.

If you want the endpoint to be public and accessible for everyone, then remove the attributes.

You can also control that behavior using the OnForbidRequest event indeed. Setting to False makes it public, setting to True makes it protected by a token.

You said both things. What exactly do you want?

Mika_Koistinen · May 29, 2026, 3:56pm

Hi @wlandgraf,

Case is this.
Third party service needs to access products pictures behind our Xdata server.
I have endpoint which returns products picture and I’m sending URLs to 3rd party service.
But issue is that this third party service doesn’t support authentication while retrieving pictures.
so I could add token to the URL and allow access if token is valid.

But without that token normal bearer authentication should work.

So
Either
get ../pictures/1221?token=123456789abcdegh
or

get ../pictures/1221
authorization: Bearer eyJxxxxx

But not total open.

I tried to use that OnForbidRequest, but it did’t work. I debugged and event was triggered and it set ForBid to false, but after exiting the JWTMiddleware unauthorized exception was raised.
These are my middlewares
Module.AddMiddleware( TJwtMiddleware.Create( fjwtsecret ) );
Module.AddMiddleware( TCorsMiddleware.Create );
Module.AddMiddleware( TForwardMiddleware.Create );
module.AddMiddleware( clm ); /// Content Logger middleware
module.AddMiddleware( TWebSocketMiddleware.Create );

I resolved this by making 2nd endpoint. But I’m interested why OnForbidRequest didnt have effect

wlandgraf · May 29, 2026, 4:40pm

Do I understand that you read a token directly from the URL in the OnForbidRequest event, and based on that you set it to False in JWT middleware?

If that's the case, it should work. Maybe send a small project reproducing the issue?

Other than this, the JWT middleware only accepts tokens in Authorization header, not in the query URL.

Topic		Replies	Views
TJwtMiddleware usage TMS XData	5	283	May 11, 2023
Trying to get JWT working - what have I missed ? TMS XData	6	91	March 14, 2025
TXDataServerModule not using JWT TMS XData	6	106	October 25, 2024
Use of TXDataServer Events TMS XData	9	323	May 21, 2023
XData Server and TJwtMiddleware TMS XData	2	447	April 18, 2020

Alternative autentication

Related topics