@umbraco-cms/backoffice
    Preparing search index...

    Class UmbAuthContext

    This base provides the necessary for a class to become a context-api controller.

    Hierarchy (View Summary)

    Index

    Constructors

    constructor

    Properties

    _host isAuthorized isInitialized keepUserLoggedIn session$ timeoutSignal

    Accessors

    authorizationSignal controllerAlias

    Methods

    addEventListener addUmbController clearTokenStorage completeAuthorizationRequest configureClient consumeContext destroy dispatchEvent getAuthProviders getContext getHostElement getIsAuthorized getLatestToken getOpenApiConfiguration getPostLogoutRedirectUrl getRedirectUrl getServerUrl getUmbControllers hasUmbController hostConnected hostDisconnected isSessionValid linkLogin makeAuthorizationRequest makeRefreshTokenRequest observe provideContext removeEventListener removeUmbController removeUmbControllerByAlias setInitialized setInitialState signOut timeOut unlinkLogin validateToken

    Constructors

    Properties

    _host

    _host: UmbControllerHost
    isAuthorized: Observable<boolean> = ...

    Observable that emits true if the user is authorized, otherwise false.

    It will only emit when the authorization state changes.

    isInitialized: Observable<void> = ...

    Observable that emits true when the auth context is initialized.

    It will only emit once and then complete itself.

    keepUserLoggedIn: boolean

    Whether the server is configured to keep users logged in by auto-refreshing before session expiry. Provided by the backend via the keep-user-logged-in attribute on <umb-app>.

    session$: Observable<undefined | UmbAuthSession> = ...
    timeoutSignal: Observable<void> = ...

    Observable that acts as a signal and emits when the user has timed out, i.e. the token has expired. This can be used to show a timeout message to the user.

    It will emit once per second, so it can be used to trigger UI updates or other actions when the user has timed out.

    Accessors

    • get authorizationSignal(): Observable<void>

      Observable that acts as a signal for when the authorization state changes.

      Returns Observable<void>

      An observable that emits when the authorization state changes.

      Observe isAuthorized instead. Scheduled for removal in Umbraco 19.

      It will emit once per second, so it can be used to trigger UI updates or other actions when the authorization state changes.

    Methods

    • The addEventListener() method of the EventTarget interface sets up a function that will be called whenever the specified event is delivered to the target.

      MDN Reference

      Parameters

      • type: string
      • callback: null | EventListenerOrEventListenerObject
      • Optionaloptions: boolean | AddEventListenerOptions

      Returns void

    • Completes the login flow. This is called on the oauth_complete page to exchange the authorization code for tokens.

      Returns Promise<null | UmbTokenEndpointResponse>

      The token response timing, or null if no authorization was pending.

    • Configures a @hey-api/openapi-ts client for authenticated API calls. Sets baseUrl, credentials, auth header, and binds the default response interceptors (401 retry, error handling, notifications).

      Parameters

      • client: Client

        A @hey-api/openapi-ts client instance.

      Returns void

      const authContext = await this.getContext(UMB_AUTH_CONTEXT);
      authContext.configureClient(myClient);
      // Now myClient automatically includes auth headers and interceptors

    • The dispatchEvent() method of the EventTarget sends an Event to the object, (synchronously) invoking the affected event listeners in the appropriate order.

      MDN Reference

      Parameters

      • event: Event

      Returns boolean

    • Checks if the user is authorized. If Authorization is bypassed, the user is always authorized.

      Returns boolean

      True if the user is authorized, otherwise false.

    • Gets the latest token from the Management API. With cookie auth, this returns '[redacted]' — the real token is in the httpOnly cookie. If the session has expired, it will attempt a refresh first.

      Returns Promise<string>

      The latest token from the Management API

        const token = await authContext.getLatestToken();
        const result = await fetch('https://my-api.com', { headers: { Authorization: `Bearer ${token}` } });

      Use configureClient for @hey-api/openapi-ts clients or getOpenApiConfiguration for manual fetch calls. With cookie-based auth this always returns '[redacted]'. Scheduled for removal in Umbraco 19.

      UmbAuthContext

    • Get the default OpenAPI configuration, which is set up to communicate with the Management API.

      Returns UmbOpenApiConfiguration

      The default OpenAPI configuration

      This is useful if you want to communicate with your own resources generated by the @hey-api/openapi-ts library.

      UmbAuthContext

      const defaultOpenApi = authContext.getOpenApiConfiguration();
      client.setConfig({
        base: defaultOpenApi.base,
        auth: defaultOpenApi.token,
      });

    • Gets the post logout redirect url.

      Returns string

      The post logout redirect url, which is the backoffice path with the logout path appended.

    • Get the server url to the Management API.

      Returns string

      The server url to the Management API

      UmbAuthContext

      	const serverUrl = authContext.getServerUrl();
      	OpenAPI.BASE = serverUrl;

      Example: <caption></caption>

      	const config = authContext.getOpenApiConfiguration();
      	const result = await fetch(`${config.base}/umbraco/management/api/v1/my-resource`, {
      		credentials: config.credentials,
      		headers: { Authorization: `Bearer ${await config.token()}` },
      	});

    • Links the current user to the specified provider by redirecting to the link endpoint.

      Parameters

      • provider: string

        The provider to link to.

      Returns Promise<void>

    • Initiates the login flow.

      Parameters

      • identityProvider: string = 'Umbraco'

        The provider to use for login. Default is 'Umbraco'.

      • Optionalredirect: boolean

        If true, the user will be redirected to the login page.

      • OptionalusernameHint: string

        The username hint to use for login.

      • Optionalmanifest: ManifestAuthProvider

        The manifest for the registered provider.

      Returns Promise<void>

    • Attempts to refresh the token using Web Locks to prevent concurrent refresh requests.

      Returns Promise<boolean>

      True if the refresh was successful, otherwise false.

    • The removeEventListener() method of the EventTarget interface removes an event listener previously registered with EventTarget.addEventListener() from the target.

      MDN Reference

      Parameters

      • type: string
      • callback: null | EventListenerOrEventListenerObject
      • Optionaloptions: boolean | EventListenerOptions

      Returns void

    • Sets the auth context as initialized, which means that the auth context is ready to be used.

      Returns void

      This is used to let the app context know that the core module is ready, which means that the core auth providers are available.

    • Sets the initial state of the auth flow. First asks existing tabs for their session via BroadcastChannel. If no peer responds, falls back to a server refresh.

      Returns Promise<void>

    • Handles the case where the user has timed out, i.e. the token has expired. This will clear the token storage and set the user as unauthorized.

      Returns void

      UmbAuthContext

    • Unlinks the current user from the specified provider.

      Parameters

      • loginProvider: string
      • providerKey: string

      Returns Promise<boolean>

    • Forces a token refresh against the server (calls /token) and returns true if successful. Use this when you need to unconditionally refresh — e.g. session timeout keep-alive. For per-request token handling, prefer configureClient which skips the network call when the access token is still valid. Uses Web Locks to deduplicate concurrent refresh requests across tabs.

      Returns Promise<boolean>

      True if the refresh succeeded, otherwise false

      UmbAuthContext

    Settings

    Member Visibility

    On This Page

    Constructors
    Properties
    Accessors
    Methods