Make Login and Error Page properties in Restrict Public Access optional

[bjarnef]

In Restrict Public Access the Login Page and Error Page properties are required.
However with a headless setup these are not used, where we have LoginRedirectUrls and LogoutRedirectUrls.
https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/protected-content-in-the-delivery-api#enabling-member-authorization

Could these properties e.g. be hiddden/removed if DeliveryApi > MemberAuthorization > Enabled is true .. or another config to disable these?

[bjarnef]

It would be great if we could disable these via content via a setting, notification handler or perhaps it is possible via Angular interceptors in the legacy backoffice (Umbraco 13).

[Luuk1983]

I think you are wrong. The login redirect urls and the logout redirect urls are frontend Urls and not the backoffice URLs. When you want to login in a headless scenario, you need to be redirected to a login page on the Umbraco side (#17492 (comment)). When you call the authorize endpoint (https://{server-host}/umbraco/delivery/api/v1/security/member/authorize) it will return the login page you have specified in the backoffice. So this setting is not useless in all headless environments.

I do agree that it would be nice for them to be optional so if you want to do things differently, you don't NEED to set them.

[bjarnef]

Yes, and we use authorize endpoint and configuration mentioned here:
https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api/protected-content-in-the-delivery-api#enabling-member-authorization

These properties are not relevant in our headless setup, but when content editors need to manage content/media protection for a lot of nodes for different member groups, this is tedious to manage 😅

Although in a the traditional MVC project it could be used to redirect to different login and error pages depending on e.g. B2C / B2B scenario, I have rarely seen it used. Typically it just redirect to a specific login page and error page (but typically it is probably preferred to redirect to current page / stay on page and show any errors).

Anyway this part hasn't change much since Umbraco v3/4.

Perhaps @leekelleher or @AndyButland has any thoughts on this?

[rammi987]

@bjarnef I absolute love your idea. I have a customer on a headless setup, where partial parts of the site is locked down. At the moment the restriction properties is just filled with random nodes, and for it have nothing to due with the authzitation, due to the OpenId configuration so it is just there to disturbed.

I think a appsetting.config to disabled the fields would be the best solution, then a developer active takes a choice of the login setup, to determine if there customer need to fill it or not.

[bjarnef]

While looking at migration of a project, it came to my mind if it would make sense to have the concept "partial protected content", where page itself it accessible and content partially - e.g. something often seen in online newspapers nowadays:
https://forum.umbraco.com/t/partial-protected-content/4334