Disable Auth in Development

Guide for disabling authentication in Elsa Server and Studio during development to simplify local testing and experimentation.

This guide explains how to disable authentication and authorization in Elsa Server and Studio for development and testing purposes only. Disabling authentication simplifies local development, prototyping, and learning Elsa without the complexity of setting up identity providers.

WARNING: NOT FOR PRODUCTION USE

Never deploy Elsa to production with authentication disabled. This would expose your workflow management APIs and allow anyone to:

View, create, modify, and delete workflows
Execute workflows with arbitrary payloads
Access sensitive workflow data and variables
Disrupt or manipulate running workflow instances

Always enable proper authentication and authorization before deploying to production environments.

When to Disable Authentication

Disabling authentication is appropriate for:

Local development: Testing workflows on your development machine
Learning Elsa: Exploring features without authentication complexity
Proof of concepts: Quick prototypes and demos
Integration tests: Automated testing without auth overhead
Docker Compose local stacks: Development containers on localhost

When NOT to Disable Authentication

Never disable authentication for:

Production deployments: Any environment accessible outside your local machine
Staging environments: Pre-production testing should mirror production security
Shared development environments: Multiple developers or accessible from network
Cloud deployments: Any deployment to AWS, Azure, GCP, or other cloud platforms
Kubernetes clusters: Even development clusters should have basic auth

Methods for Disabling Authentication

There are several approaches to disable authentication in Elsa, depending on your setup and requirements.

Method 1: Disable Endpoint Security (Simplest)

This is the easiest method and disables authentication for all Elsa API endpoints.

Program.cs:

using Elsa.Extensions;

var builder = WebApplication.CreateBuilder(args);

// ⚠️ DEVELOPMENT ONLY: Disable all endpoint security
if (builder.Environment.IsDevelopment())
{
    Elsa.Api.Common.Options.EndpointSecurityOptions.DisableSecurity();
}

builder.Services.AddElsa(elsa =>
{
    elsa
        .UseWorkflowManagement()
        .UseWorkflowRuntime()
        .UseWorkflowsApi()
        .UseHttp();
});

var app = builder.Build();

app.UseWorkflowsApi();
app.Run();

Key Points:

DisableSecurity() removes all authorization requirements from Elsa API endpoints
Wrap in if (builder.Environment.IsDevelopment()) to prevent accidental production use
No authentication middleware needed

Method 2: Bypass Authorization with AllowAnonymous

Configure authorization policies to allow all requests:

Program.cs:

using Elsa.Extensions;
using Microsoft.AspNetCore.Authorization;

var builder = WebApplication.CreateBuilder(args);

if (builder.Environment.IsDevelopment())
{
    // Allow all requests without authentication
    builder.Services.AddAuthorization(options =>
    {
        options.FallbackPolicy = new AuthorizationPolicyBuilder()
            .RequireAssertion(_ => true)  // Always allow
            .Build();
    });
}

builder.Services.AddElsa(elsa =>
{
    elsa
        .UseWorkflowManagement()
        .UseWorkflowRuntime()
        .UseWorkflowsApi();
});

var app = builder.Build();

// Still add middleware, but policy allows everything
app.UseAuthentication();
app.UseAuthorization();

app.UseWorkflowsApi();
app.Run();

Method 3: Disable Elsa Identity Module

If you've configured Elsa.Identity, you can disable it for development:

Program.cs:

using Elsa.Extensions;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddElsa(elsa =>
{
    // Don't call UseIdentity() or UseDefaultAuthentication() in development
    
    if (builder.Environment.IsProduction())
    {
        // Only enable identity in production
        elsa.UseIdentity(identity =>
        {
            identity.UseConfigurationBasedIdentityProvider();
        });
        elsa.UseDefaultAuthentication();
    }
    
    elsa
        .UseWorkflowManagement()
        .UseWorkflowRuntime()
        .UseWorkflowsApi();
});

var app = builder.Build();

// Only use auth middleware in production
if (builder.Environment.IsProduction())
{
    app.UseAuthentication();
    app.UseAuthorization();
}

app.UseWorkflowsApi();
app.Run();

Method 4: Configuration-Based Toggle

Use configuration files to toggle authentication:

appsettings.Development.json:

{
  "Elsa": {
    "Security": {
      "Enabled": false
    }
  }
}

appsettings.Production.json:

{
  "Elsa": {
    "Security": {
      "Enabled": true
    }
  }
}

Program.cs:

using Elsa.Extensions;

var builder = WebApplication.CreateBuilder(args);

var securityEnabled = builder.Configuration.GetValue<bool>("Elsa:Security:Enabled", true);

if (!securityEnabled)
{
    Elsa.Api.Common.Options.EndpointSecurityOptions.DisableSecurity();
}

builder.Services.AddElsa(elsa =>
{
    if (securityEnabled)
    {
        elsa
            .UseIdentity(identity =>
            {
                identity.UseConfigurationBasedIdentityProvider();
            })
            .UseDefaultAuthentication();
    }
    
    elsa
        .UseWorkflowManagement()
        .UseWorkflowRuntime()
        .UseWorkflowsApi();
});

var app = builder.Build();

if (securityEnabled)
{
    app.UseAuthentication();
    app.UseAuthorization();
}

app.UseWorkflowsApi();
app.Run();

Disabling Authentication in Elsa Studio

When disabling authentication in Elsa Server, you also need to configure Elsa Studio to not send authentication credentials.

Studio Configuration

Program.cs (Studio app):

using Elsa.Studio.Extensions;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddRazorPages();
builder.Services.AddServerSideBlazor();

if (builder.Environment.IsDevelopment())
{
    // Disable Studio authorization checks
    builder.Services.AddElsaStudio(studio =>
    {
        studio.ConfigureHttpClient(options =>
        {
            options.BaseAddress = new Uri("https://localhost:5001");
            // No authentication configuration needed
        });
    });
    
    // Optional: Disable authorization on Studio pages
    builder.Services.Configure<Microsoft.AspNetCore.Components.Server.CircuitOptions>(options =>
    {
        options.DetailedErrors = true;
    });
}
else
{
    // Production: Enable authentication
    builder.Services.AddAuthentication(/* ... */);
    builder.Services.AddElsaStudio(studio =>
    {
        studio.ConfigureHttpClient(options =>
        {
            options.BaseAddress = new Uri("https://elsa-server.example.com");
        });
        // Configure authentication forwarding
    });
}

var app = builder.Build();

if (!builder.Environment.IsDevelopment())
{
    app.UseAuthentication();
    app.UseAuthorization();
}

app.MapBlazorHub();
app.MapFallbackToPage("/_Host");
app.Run();

Docker Compose Example

For local development with Docker Compose, disable authentication in both Server and Studio:

docker-compose.yml:

version: '3.8'

services:
  elsa-server:
    image: elsaworkflows/elsa-server:latest
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - Elsa__Security__Enabled=false
      - ConnectionStrings__PostgreSql=Host=postgres;Database=elsa;Username=elsa;Password=elsa123
    ports:
      - "5001:8080"
    depends_on:
      - postgres

  elsa-studio:
    image: elsaworkflows/elsa-studio-wasm:latest
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ElsaServer__Url=http://elsa-server:8080
    ports:
      - "5002:8080"
    depends_on:
      - elsa-server

  postgres:
    image: postgres:16
    environment:
      - POSTGRES_DB=elsa
      - POSTGRES_USER=elsa
      - POSTGRES_PASSWORD=elsa123
    volumes:
      - postgres-data:/var/lib/postgresql/data

volumes:
  postgres-data:

Testing with Disabled Authentication

Once authentication is disabled, you can access Elsa APIs directly:

Test API Access

# List workflow definitions (no auth header needed)
curl http://localhost:5001/elsa/api/workflow-definitions

# Create a workflow
curl -X POST http://localhost:5001/elsa/api/workflow-definitions \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Test Workflow",
    "publish": true
  }'

# Execute a workflow
curl -X POST http://localhost:5001/elsa/api/workflow-definitions/{id}/execute

Test Studio Access

Navigate to Studio in your browser:

http://localhost:5002/workflows

You should be able to:

View all workflows
Create and edit workflows
Execute workflows
View workflow instances

All without logging in.

Security Considerations for Development

Even with authentication disabled in development, follow these practices:

1. Restrict Network Access

Bind to localhost only:

var builder = WebApplication.CreateBuilder(args);

// Only listen on localhost in development
if (builder.Environment.IsDevelopment())
{
    builder.WebHost.UseUrls("http://localhost:5001", "https://localhost:5002");
}

Docker Compose (localhost only):

services:
  elsa-server:
    ports:
      - "127.0.0.1:5001:8080"  # Bind to localhost only

2. Use Separate Development Database

Never point development environments to production databases:

{
  "ConnectionStrings": {
    "ElsaDatabase": "Host=localhost;Database=elsa_dev;Username=dev_user;Password=dev_password"
  }
}

3. Firewall Rules

Ensure development machines have firewall rules blocking external access to Elsa ports.

4. Environment Checks

Always wrap disabled auth in environment checks:

if (builder.Environment.IsDevelopment())
{
    // Disable auth only in development
}

if (builder.Environment.IsProduction())
{
    // Always enable auth in production
    throw new InvalidOperationException("Authentication cannot be disabled in production");
}

Re-Enabling Authentication for Production

Before deploying to production, remove all authentication disabling code and enable proper security:

using Elsa.Extensions;

var builder = WebApplication.CreateBuilder(args);

// ✅ Always enable authentication for production
builder.Services.AddElsa(elsa =>
{
    elsa
        .UseIdentity(identity =>
        {
            identity.UseConfigurationBasedIdentityProvider();
        })
        .UseDefaultAuthentication()
        .UseWorkflowManagement()
        .UseWorkflowRuntime()
        .UseWorkflowsApi();
});

var app = builder.Build();

// ✅ Always use authentication middleware
app.UseAuthentication();
app.UseAuthorization();

app.UseWorkflowsApi();
app.Run();

For production authentication options, see:

Troubleshooting

Cause: Studio authorization is still enabled.

Fix: Ensure Studio is configured without authentication requirements:

builder.Services.AddElsaStudio(studio =>
{
    studio.ConfigureHttpClient(options =>
    {
        options.BaseAddress = new Uri("https://localhost:5001");
        // No authentication configuration - allows anonymous access
    });
});

Also verify that Elsa Server has disabled security (see Method 1 above).

API Returns 401 Unauthorized

Cause: UseAuthentication() or UseAuthorization() middleware is still active, or DisableSecurity() wasn't called.

Fix: Ensure you've disabled security before building the app:

Elsa.Api.Common.Options.EndpointSecurityOptions.DisableSecurity();
var app = builder.Build();

Cannot Access from Another Machine on Network

Cause: Application is bound to localhost only.

Fix (Development Only): Bind to all interfaces:

builder.WebHost.UseUrls("http://*:5001");

Only do this in isolated development networks. Never expose unauthenticated Elsa to the internet.

Next Steps

Learn Elsa: Explore Getting Started tutorials
Create Workflows: Build your first workflow with Elsa Studio
Enable Auth for Production: Follow Security & Authentication Guide
Integrate Identity: Set up External Identity Providers

Security & Authentication Guide - Comprehensive security configuration
External Identity Providers - Integrating with Azure AD, Auth0, etc.
Hosting Elsa in an Existing App - Integration guide
Blazor Dashboard Integration - Studio setup

Last Updated: 2025-12-02 Addresses Issues: #15

PreviousSecurity & Authentication NextExternal Identity Providers

Last updated 3 months ago

hashtagWhen to Disable Authentication

hashtagWhen NOT to Disable Authentication

hashtagMethods for Disabling Authentication

hashtagMethod 1: Disable Endpoint Security (Simplest)

hashtagMethod 2: Bypass Authorization with AllowAnonymous

hashtagMethod 3: Disable Elsa Identity Module

hashtagMethod 4: Configuration-Based Toggle

hashtagDisabling Authentication in Elsa Studio

hashtagStudio Configuration

hashtagDocker Compose Example

hashtagTesting with Disabled Authentication

hashtagTest API Access

hashtagTest Studio Access

hashtagSecurity Considerations for Development

hashtag1. Restrict Network Access

hashtag2. Use Separate Development Database

hashtag3. Firewall Rules

hashtag4. Environment Checks

hashtagRe-Enabling Authentication for Production

hashtagTroubleshooting

hashtagStudio Still Prompts for Login

hashtagAPI Returns 401 Unauthorized

hashtagCannot Access from Another Machine on Network

hashtagNext Steps

hashtagRelated Documentation

When to Disable Authentication

When NOT to Disable Authentication

Methods for Disabling Authentication

Method 1: Disable Endpoint Security (Simplest)

Method 2: Bypass Authorization with AllowAnonymous

Method 3: Disable Elsa Identity Module

Method 4: Configuration-Based Toggle

Disabling Authentication in Elsa Studio

Studio Configuration

Docker Compose Example

Testing with Disabled Authentication

Test API Access

Test Studio Access

Security Considerations for Development

1. Restrict Network Access

2. Use Separate Development Database

3. Firewall Rules

4. Environment Checks

Re-Enabling Authentication for Production

Troubleshooting

Studio Still Prompts for Login

API Returns 401 Unauthorized

Cannot Access from Another Machine on Network

Next Steps

Related Documentation