Ask Questions and Find Answers
Important:
Ask is now read-only. You can review any existing questions and answers, but not add anything new.
But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:
discuss.liferay.com
RE: Headless Delivery API only supports BASIC AUTH?
The documentation for the REST APIs states that the APIs can be accessed by logged-in users but trying to access one of the GET based APIs in the browser after logging in results in an "Access Forbidden" error.
It only seems to work in Postman/curl scenarios where i use BASIC AUTH to access the API
It only seems to work in Postman/curl scenarios where i use BASIC AUTH to access the API
Headless APIs support the same auth mechanism as the portal (OAuth, session, basic). The issue there is the CSRF check, either you disable it or pass the p_p_auth token. It's briefly explained here: https://portal.liferay.dev/docs/7-2/frameworks/-/knowledge_base/f/making-authenticated-rest-api-requests#using-cookie-authentication-or-making-requests-from-the-ui
Javier Gamarra:
love it thank for the valuable information…
Headless APIs support the same auth mechanism as the portal (OAuth, session, basic). The issue there is the CSRF check, either you disable it or pass the p_p_auth token. It's briefly explained here: https://portal.liferay.dev/docs/7-2/frameworks/-/knowledge_base/f/making-authenticated-rest-api-requests#using-cookie-authentication-or-making-requests-from-the-ui/MyGroundBiz
I don't think I follow why CSRF applies here unless i am missing something. Bit that's OK ...
I have logged into Liferay, and am sitting on the welcome page. I type the link to the Open API YAML spec endpoint. I receive an "Access Forbidden" error. Are you saying that's always going to fail that way without a token?
And then when i make a Liferay.Service() call in JavasSript will it handle the token acquisition automaticlaly?
I have logged into Liferay, and am sitting on the welcome page. I type the link to the Open API YAML spec endpoint. I receive an "Access Forbidden" error. Are you saying that's always going to fail that way without a token?
And then when i make a Liferay.Service() call in JavasSript will it handle the token acquisition automaticlaly?
In a new tab, It's going to fail unless you disable CSRF checks for urls like /o/headless... or you propagate the p_p_auth token (that you already have). You are doing a request in a new tab and logged so the browser attachs the cookie identifier (so you are logged) but it doesn't send any other headers to avoid other sites trying to impersonate you.
If you want to call if from JS code you have to use fetch or a JS request library, Liferay.Service integrates with Java services but is not meant to be used with headless REST endpoints. You won't have to propagate anything because the request will be decorated automatically, because you will do it from a liferay loaded page (vs an API call directly).
If you want to call if from JS code you have to use fetch or a JS request library, Liferay.Service integrates with Java services but is not meant to be used with headless REST endpoints. You won't have to propagate anything because the request will be decorated automatically, because you will do it from a liferay loaded page (vs an API call directly).
Copyright © 2025 Liferay, Inc
• Privacy Policy
Powered by Liferay™