It is documented that the default required role is by default set to "contentapiread", so that is why you need to set it to "string.Empty".
Its documented there: https://world.episerver.com/documentation/developer-guides/content-delivery-api/getting-started/configuration/#MapRequiredRole
Yes, I get that.
But as you can see from my post above, setting
does not work when trying to allow anonymous access.
Which NuGet packages of content delivery API are you using?
I had an old project that was using 2.10.0 of EPiServer.ContentDeliveryApi.Cms and EPiServer.ContentDeliveryApi.Core with this config:
config.Default() .SetMinimumRoles(string.Empty) .SetMultiSiteFilteringEnabled(false) .SetRequiredRole("contentapiread") .SetSiteDefinitionApiEnabled(true) .SetIncludeNullValues(false) .SetIncludeMasterLanguage(false) .SetFlattenPropertyModel(true) .SetValidateTemplateForContentUrl(false);
And without setting access rights for "contentapiread" and it worked as documented (calling /api/episerver/v3/site and /api/episerver/v2.0/content/5/children)
Updated to EPiServer.ContentDeliveryApi.Cms 2.19.0 version and EPiServer.ContentDeliveryApi.Core 2.20.0 version, still worked the same.
If I remove the "SetMinimumRoles(string.Empty)", i will get episerver login in response.
Also note that I have not added the virtual role "contentapiread" to virtualRoles in episerver.framework section as instructed in the configuration guide, if I add it with mapping to only "webeditors" I will get empty array results when trying to get for example children of startpage. So by any chance have you added a virtual role?
What tool are you using to test the API? Postman?
I am using version 2.19.0. I have not added a virtual role, and I am using Postman.
So if you change your config to this - what happens then?
config.Default() .SetMinimumRoles(string.Empty) .SetSiteDefinitionApiEnabled(true);
Sorry took a bit long to answer (too good weather so had no time for computer ;) )
Anyways, tested with the above config you have and without any virtual roles defined.
Call to '/api/episerver/v3/site' from Postman (anonymous user) returns site definitions - OK.
Call to '/api/episerver/v2.0/content/5/children' from Postman (anonymous user) returns start page children - OK.
According to the documentation (https://world.episerver.com/documentation/developer-guides/content-delivery-api/getting-started/quick-start/) setting
should allow anonymous calls to the content delivery api.
I am testing this in an Alloy sample site, and I still get access denied.
But if I add .SetRequiredRole(string.Empty), which I though targeted commerce catalog, it works as expected.
Is the documentation outdated or am I missing something?