asp.net-coreasp.net-core-webapi

How do I disable access to ASP.NET Core 8 web API identity methods?


I have an ASP.NET Core 8 web API. I have disabled Swagger documentation in production, but the endpoints shown below are still available for use. For example, I can still use the register endpoint in Postman even though I can't see the Swagger documentation.

The only endpoints that I need in production are login and refresh. Users do not create their own accounts or manage passwords. I don't see these endpoints in the code like the endpoints I have added in controllers. How can I prevent access to these endpoints in my production site?

Swagger screen shot


Solution

  • Somewhere in your code, you make a call to MapIdentityApi, which adds all identity endpoints and is not configurable. See the source code

    You should get rid of your call to MapIdentityApi and copy the login and refresh endpoints from the source code mentioned above to your own controller or minimal api.