Restrict access to certain API controllers in Swagger using Swashbuckle and ASP.NET Identity

asp.net asp.net-identity swagger swagger-ui swashbuckle
Mikhail Neverov picture Mikhail Neverov · Oct 16, 2015 · Viewed 13.1k times · Source

So, I started using Swagger. I'm absolutely in love with it's features, but I have some doubts on availability of all methods to public.

As far as I understood - all included in Swaschbuclke "auth" methods are actually about APIs itself, but I don't need help there - all of my APIs are protected by API id/key pair.

I would like to somehow utilise ASP.NET Identity (login system) to restrict access to API page (/swagger/ui/index).

Is there any way? Any methods in Swaschbuckle? Any routes/Identity hacks?

Any help is appreciated.

Edit 1: [ApiExplorerSettings(IgnoreApi = true)] attribute is not what I'm looking for - it restricts all the access to the methods, regardless of Identity.

Answer

Anthony Neace picture Anthony Neace · Oct 16, 2015

Concerning restricting exposure of individual APIs in your swagger documentation:

Swashbuckle 5.x:

Swashbuckle 5.x has a configuration option called IgnoreObsoleteActions (that you need to set; it isn't enabled by default) that will hide actions if they have the [Obsolete] attribute.

Example: Configuration

httpConfiguration
    .EnableSwagger(c =>
        {
            c.IgnoreObsoleteActions();
        });

More info available in the documentation.

Swashbuckle 4.1.x (or if you don't want to use the obsolete attribute):

Swashbuckle builds the swagger documentation on top of IApiExplorer. You should be able to add an attribute -- [ApiExplorerSettings(IgnoreApi = true)] -- to manage ApiExplorerSettings the controller class or individual controller methods to have the explorer (and subsequently, Swashbuckle) ignore them when generating the documentation.

Example: Individual actions

/// Ignore 'GetFoo' in documentation
public class FooBarController
{
    [ApiExplorerSettings(IgnoreApi = true)]
    public Bar GetFoo
    {
       ...
    }

    public Bar GetBar
    {
       ...
    }
}

Example: Controller classes

/// Ignore every controller method in FooBarController in documentation
[ApiExplorerSettings(IgnoreApi = true)]
public class FooBarController
{
    public Bar GetFoo
    {
       ...
    }

    public Bar GetBar
    {
       ...
    }
}

More details in this GitHub Issue. I've used this myself in Swashbuckle 4.1.x.

Related questions

How to get the current logged in user Id in ASP.NET Core

I've done this before with MVC5 using User.Identity.GetUserId() but that doesn't seem to work here. The User.Identity doesnt have the GetUserId() method I am using Microsoft.AspNet.Identity

Read More
How to get current user, and how to use User class in MVC5?

How can I get the id of the currently logged in user in MVC 5? I tried the StackOverflow suggestions, but they seem to be not for MVC 5. Also, what is the MVC 5 best practice of assigning stuff to the users? (…

Read More
ASP.NET Identity - HttpContext has no extension method for GetOwinContext

I have downloaded, and successfully ran the ASP.NET Identity sample from here: https://github.com/rustd/AspnetIdentitySample I am now in the middle of implementing the ASP.NET Identity framework in my project and have ran into a problem, …

Read More