en https://world.optimizely.com/blogs/andreas-ylivainio-omvp/60Optimizely World https://world.optimizely.com/blogs/andreas-ylivainio-omvp/dates/2026/4/keycloak-authentication-with-optimizely-cms-12-and-.net-aspire <div class="highlight highlight-source-cs notranslate position-relative overflow-auto"> <p>This post walks through how to wire together Optimizely CMS 12, Keycloak and .NET Aspire to give you a single local development environment that handles both interactive browser login and machine-to-machine (M2M) API calls from the same ASP.NET Core application.<br /><br />For context read my previous blog post here: <a href="/link/dd8a24c82520401ca8bbe14ffbd3859d.aspx">Using Scalar with Optimizely CMS</a></p> <div class="markdown-heading"> <h3 class="heading-element">The source code for this blog post is available here: <a href="https://github.com/andreas-valtech/Aspire.OptimizelyContentDeliveryAuth/">andreas-valtech/Aspire.OptimizelyContentDeliveryAuth</a></h3> <h2 class="heading-element">How this project came about</h2> </div> <p>This started as an excuse to play with several things at once: Aspire, Keycloak, and OpenAI Codex &mdash; all things I wanted to get familiar with. Rather than building isolated toy demos, I wanted to see how they fit together while a real project was taking shape.</p> <p>While I was at it,&nbsp;<a href="https://www.avantibit.com/blog/avantibit-alloy-aspire-scaffold">Avantibit published a great post on combining Alloy with an Aspire scaffold</a>. That post is worth reading &mdash; it covers similar ground around Aspire and the Optimizely ecosystem. The difference here is that I was not specifically interested in DXP or CMS 13 for this scenario. My goal was narrower and more concrete: get CMS 12, SQL Server and Keycloak running in the same Aspire-orchestrated setup and make the authentication actually work end-to-end, both from a browser and from a machine client.</p> <p>OpenAI Codex helped shape the implementation and documentation as the project grew, which made it a practical experiment for that too.</p> <div class="markdown-heading"> <h2 class="heading-element">Why this combination?</h2> </div> <p>Running Optimizely CMS 12, a SQL Server database, and an identity provider side by side used to mean a lot of manual setup &mdash; standing up containers by hand, clicking through Keycloak's admin UI, and maintaining notes about which credentials to use. .NET Aspire solves the orchestration problem: a single&nbsp;<code>dotnet run</code>&nbsp;starts everything and injects connection strings and service URLs into the web application automatically.</p> <p>Keycloak fills the identity layer because it is a battle-tested, self-hostable OpenID Connect (OIDC) provider. With realm imports it also lets you version-control the entire identity configuration alongside the rest of the code &mdash; no clicking required after a fresh clone.</p> <hr /> <div class="markdown-heading"> <h2 class="heading-element">Repository structure</h2> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"> <pre class="notranslate"><code>Aspire.OptimizelyContentDeliveryAuth.AppHost/ &larr; Aspire orchestrator AppHost.cs &larr; wires together SQL Server, Keycloak and the web app realm-export.json &larr; versioned Keycloak realm import openid-configuration.json &larr; static OIDC discovery doc for local dev Aspire.OptimizelyContentDeliveryAuth.Web/ &larr; Optimizely CMS 12 application Program.cs &larr; minimal hosting entry point Startup.cs &larr; authentication and CMS configuration UserInformationController.cs &larr; endpoints for login, logout and userinfo login.http &larr; test file for interactive login flow machine-to-machine.http &larr; test file for client credentials flow http-client.env.json &larr; shared variables for the .http test files </code></pre> <div class="zeroclipboard-container">&nbsp;</div> </div> <hr /> <div class="markdown-heading"> <h2 class="heading-element">Aspire orchestration</h2> </div> <p>The AppHost registers SQL Server, Keycloak, and the web project and wires them together so Aspire can inject service URLs as environment variables at startup:</p> <div class="highlight highlight-source-cs notranslate position-relative overflow-auto"> <pre><span class="pl-c">// Aspire.OptimizelyContentDeliveryAuth.AppHost/AppHost.cs</span> <span class="pl-k">var</span> <span class="pl-s1">builder</span> <span class="pl-c1">=</span> <span class="pl-s1">DistributedApplication</span><span class="pl-kos">.</span><span class="pl-en">CreateBuilder</span><span class="pl-kos">(</span><span class="pl-s1">args</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-k">var</span> <span class="pl-s1">sqlServer</span> <span class="pl-c1">=</span> <span class="pl-s1">builder</span><span class="pl-kos">.</span><span class="pl-en">AddSqlServer</span><span class="pl-kos">(</span><span class="pl-s">"sqlserver"</span><span class="pl-kos">)</span> <span class="pl-kos">.</span><span class="pl-en">WithDataVolume</span><span class="pl-kos">(</span><span class="pl-s">"aspireoptimizelycontentdeliveryauth-sql"</span><span class="pl-kos">)</span> <span class="pl-kos">.</span><span class="pl-en">WithLifetime</span><span class="pl-kos">(</span><span class="pl-s1">ContainerLifetime</span><span class="pl-kos">.</span><span class="pl-s1">Persistent</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-k">var</span> <span class="pl-s1">cmsDb</span> <span class="pl-c1">=</span> <span class="pl-s1">sqlServer</span><span class="pl-kos">.</span><span class="pl-en">AddDatabase</span><span class="pl-kos">(</span><span class="pl-s">"EPiServerDB"</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-k">var</span> <span class="pl-s1">keyCloakUsername</span> <span class="pl-c1">=</span> <span class="pl-s1">builder</span><span class="pl-kos">.</span><span class="pl-en">AddParameter</span><span class="pl-kos">(</span><span class="pl-s">"username"</span><span class="pl-kos">,</span> <span class="pl-s1">value</span><span class="pl-c1">:</span> <span class="pl-s">"admin"</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-k">var</span> <span class="pl-s1">keycloakPassword</span> <span class="pl-c1">=</span> <span class="pl-s1">builder</span><span class="pl-kos">.</span><span class="pl-en">AddParameter</span><span class="pl-kos">(</span><span class="pl-s">"password"</span><span class="pl-kos">,</span> <span class="pl-s1">value</span><span class="pl-c1">:</span> <span class="pl-s">"abc123"</span><span class="pl-kos">,</span> <span class="pl-s1">secret</span><span class="pl-c1">:</span> <span class="pl-c1">true</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-k">var</span> <span class="pl-s1">keycloak</span> <span class="pl-c1">=</span> <span class="pl-s1">builder</span><span class="pl-kos">.</span><span class="pl-en">AddKeycloak</span><span class="pl-kos">(</span><span class="pl-s">"keycloak"</span><span class="pl-kos">,</span> <span class="pl-c1">8080</span><span class="pl-kos">,</span> <span class="pl-s1">keyCloakUsername</span><span class="pl-kos">,</span> <span class="pl-s1">keycloakPassword</span><span class="pl-kos">)</span> <span class="pl-kos">.</span><span class="pl-en">WithLifetime</span><span class="pl-kos">(</span><span class="pl-s1">ContainerLifetime</span><span class="pl-kos">.</span><span class="pl-s1">Persistent</span><span class="pl-kos">)</span> <span class="pl-kos">.</span><span class="pl-en">WithDataVolume</span><span class="pl-kos">(</span><span class="pl-s">"aspireoptimizelycontentdeliveryauth-keycloak"</span><span class="pl-kos">)</span> <span class="pl-kos">.</span><span class="pl-en">WithRealmImport</span><span class="pl-kos">(</span><span class="pl-s">"realm-export.json"</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-s1">builder</span><span class="pl-kos">.</span><span class="pl-smi">AddProject</span><span class="pl-c1">&lt;</span><span class="pl-smi">Aspire_OptimizelyContentDeliveryAuth_Web</span><span class="pl-c1">&gt;</span><span class="pl-kos">(</span><span class="pl-s">"web"</span><span class="pl-kos">)</span> <span class="pl-kos">.</span><span class="pl-en">WithReference</span><span class="pl-kos">(</span><span class="pl-s1">cmsDb</span><span class="pl-kos">)</span> <span class="pl-kos">.</span><span class="pl-en">WithReference</span><span class="pl-kos">(</span><span class="pl-s1">keycloak</span><span class="pl-kos">)</span> <span class="pl-kos">.</span><span class="pl-en">WaitFor</span><span class="pl-kos">(</span><span class="pl-s1">keycloak</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-s1">builder</span><span class="pl-kos">.</span><span class="pl-en">Build</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-en">Run</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">;</span></pre> <div class="zeroclipboard-container">&nbsp;</div> </div> <p>Key points:</p> <ul> <li><code>WithRealmImport("realm-export.json")</code>&nbsp;tells Keycloak to import the realm configuration on first start, so no manual admin UI work is needed.</li> <li><code>WaitFor(keycloak)</code>&nbsp;ensures the web application only starts once Keycloak is healthy and has finished importing the realm.</li> <li><code>WithDataVolume</code>&nbsp;gives both containers a named Docker volume, making the data survive&nbsp;<code>dotnet run</code>&nbsp;restarts without re-initialisation.</li> </ul> <hr /> <div class="markdown-heading"> <h2 class="heading-element">Authentication configuration</h2> </div> <div class="markdown-heading"> <h3 class="heading-element">The challenge: supporting both browsers and API clients on the same endpoint</h3> </div> <p>A CMS application typically has browser users who log in interactively&nbsp;<em>and</em>&nbsp;back-end services that call APIs with a bearer token. ASP.NET Core's authentication middleware uses a single&nbsp;<em>default scheme</em>, which makes it awkward to support both styles.</p> <p>The solution is a&nbsp;<em>policy scheme</em>&nbsp;&mdash; a lightweight scheme that inspects each request and forwards it to the correct handler:</p> <div class="highlight highlight-source-cs notranslate position-relative overflow-auto"> <pre><span class="pl-c">// Aspire.OptimizelyContentDeliveryAuth.Web/Startup.cs</span> <span class="pl-s1">services</span><span class="pl-kos">.</span><span class="pl-en">AddAuthentication</span><span class="pl-kos">(</span>options <span class="pl-c1">=&gt;</span> <span class="pl-kos">{</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">DefaultScheme</span> <span class="pl-c1">=</span> <span class="pl-s">"smart"</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">DefaultAuthenticateScheme</span> <span class="pl-c1">=</span> <span class="pl-s">"smart"</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">DefaultChallengeScheme</span> <span class="pl-c1">=</span> <span class="pl-s1">OpenIdConnectDefaults</span><span class="pl-kos">.</span><span class="pl-s1">AuthenticationScheme</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">DefaultSignInScheme</span> <span class="pl-c1">=</span> <span class="pl-s1">CookieAuthenticationDefaults</span><span class="pl-kos">.</span><span class="pl-s1">AuthenticationScheme</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">DefaultSignOutScheme</span> <span class="pl-c1">=</span> <span class="pl-s1">CookieAuthenticationDefaults</span><span class="pl-kos">.</span><span class="pl-s1">AuthenticationScheme</span><span class="pl-kos">;</span> <span class="pl-kos">}</span><span class="pl-kos">)</span> <span class="pl-kos">.</span><span class="pl-en">AddPolicyScheme</span><span class="pl-kos">(</span><span class="pl-s">"smart"</span><span class="pl-kos">,</span> <span class="pl-s">"Bearer or cookie"</span><span class="pl-kos">,</span> options <span class="pl-c1">=&gt;</span> <span class="pl-kos">{</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">ForwardDefaultSelector</span> <span class="pl-c1">=</span> context <span class="pl-c1">=&gt;</span> <span class="pl-kos">{</span> <span class="pl-k">var</span> <span class="pl-s1">authorizationHeader</span> <span class="pl-c1">=</span> <span class="pl-s1">context</span><span class="pl-kos">.</span><span class="pl-s1">Request</span><span class="pl-kos">.</span><span class="pl-s1">Headers</span><span class="pl-kos">.</span><span class="pl-s1">Authorization</span><span class="pl-kos">.</span><span class="pl-en">ToString</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-k">return</span> <span class="pl-s1">authorizationHeader</span><span class="pl-kos">.</span><span class="pl-en">StartsWith</span><span class="pl-kos">(</span><span class="pl-s">"Bearer "</span><span class="pl-kos">,</span> <span class="pl-s1">StringComparison</span><span class="pl-kos">.</span><span class="pl-s1">OrdinalIgnoreCase</span><span class="pl-kos">)</span> <span class="pl-c1">?</span> <span class="pl-s1">JwtBearerDefaults</span><span class="pl-kos">.</span><span class="pl-s1">AuthenticationScheme</span> <span class="pl-c1">:</span> <span class="pl-s1">CookieAuthenticationDefaults</span><span class="pl-kos">.</span><span class="pl-s1">AuthenticationScheme</span><span class="pl-kos">;</span> <span class="pl-kos">}</span><span class="pl-kos">;</span> <span class="pl-kos">}</span><span class="pl-kos">)</span></pre> <div class="zeroclipboard-container">&nbsp;</div> </div> <p>When a request arrives the selector checks for a&nbsp;<code>Bearer</code>&nbsp;header:</p> <ul> <li><strong>Present</strong>&nbsp;&rarr; the request is forwarded to the JWT Bearer handler.</li> <li><strong>Absent</strong>&nbsp;&rarr; the request is forwarded to the Cookie handler, and if no valid cookie exists, the challenge triggers an OIDC redirect.</li> </ul> <div class="markdown-heading"> <h3 class="heading-element">JWT Bearer &mdash; for machine-to-machine clients</h3> </div> <div class="highlight highlight-source-cs notranslate position-relative overflow-auto"> <pre><span class="pl-kos">.</span><span class="pl-s1">AddJwtBearer</span><span class="pl-kos">(</span><span class="pl-s1">JwtBearerDefaults</span><span class="pl-kos">.</span><span class="pl-s1">AuthenticationScheme</span><span class="pl-kos">,</span> options <span class="pl-c1">=&gt;</span> <span class="pl-kos">{</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">SaveToken</span> <span class="pl-c1">=</span> <span class="pl-c1">true</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">Authority</span> <span class="pl-c1">=</span> <span class="pl-s1">authority</span><span class="pl-kos">;</span> <span class="pl-c">// http://localhost:8080/realms/optimizely</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">MetadataAddress</span> <span class="pl-c1">=</span> <span class="pl-s1">metadataAddress</span><span class="pl-kos">;</span> <span class="pl-c">// points to openid-configuration.json during local dev</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">MapInboundClaims</span> <span class="pl-c1">=</span> <span class="pl-c1">false</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">RequireHttpsMetadata</span> <span class="pl-c1">=</span> <span class="pl-c1">false</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">TokenValidationParameters</span> <span class="pl-c1">=</span> <span class="pl-k">new</span> <span class="pl-smi">TokenValidationParameters</span> <span class="pl-kos">{</span> <span class="pl-s1">ValidateAudience</span> <span class="pl-c1">=</span> <span class="pl-c1">false</span><span class="pl-kos">,</span> <span class="pl-s1">ValidateIssuer</span> <span class="pl-c1">=</span> <span class="pl-c1">true</span><span class="pl-kos">,</span> <span class="pl-s1">ValidIssuer</span> <span class="pl-c1">=</span> <span class="pl-s1">authority</span><span class="pl-kos">,</span> <span class="pl-s1">ValidateLifetime</span> <span class="pl-c1">=</span> <span class="pl-c1">true</span><span class="pl-kos">,</span> <span class="pl-s1">NameClaimType</span> <span class="pl-c1">=</span> <span class="pl-s">"preferred_username"</span><span class="pl-kos">,</span> <span class="pl-s1">RoleClaimType</span> <span class="pl-c1">=</span> <span class="pl-s">"roles"</span> <span class="pl-kos">}</span><span class="pl-kos">;</span> <span class="pl-kos">}</span><span class="pl-kos">)</span></pre> <div class="zeroclipboard-container">&nbsp;</div> </div> <p><code>MetadataAddress</code>&nbsp;points at a static&nbsp;<code>openid-configuration.json</code>&nbsp;file served locally instead of hitting Keycloak's own discovery endpoint. This makes local development more resilient to timing issues on container startup.</p> <div class="markdown-heading"> <h3 class="heading-element">Cookie + OIDC &mdash; for interactive browser users</h3> </div> <div class="highlight highlight-source-cs notranslate position-relative overflow-auto"> <pre><span class="pl-kos">.</span><span class="pl-s1">AddCookie</span><span class="pl-kos">(</span><span class="pl-s1">CookieAuthenticationDefaults</span><span class="pl-kos">.</span><span class="pl-s1">AuthenticationScheme</span><span class="pl-kos">,</span> options <span class="pl-c1">=&gt;</span> <span class="pl-kos">{</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">Cookie</span><span class="pl-kos">.</span><span class="pl-s1">HttpOnly</span> <span class="pl-c1">=</span> <span class="pl-c1">true</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">Cookie</span><span class="pl-kos">.</span><span class="pl-s1">IsEssential</span> <span class="pl-c1">=</span> <span class="pl-c1">true</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">Cookie</span><span class="pl-kos">.</span><span class="pl-s1">Name</span> <span class="pl-c1">=</span> <span class="pl-s">"Aspire.OptimizelyContentDeliveryAuth"</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">ExpireTimeSpan</span> <span class="pl-c1">=</span> <span class="pl-s1">TimeSpan</span><span class="pl-kos">.</span><span class="pl-en">FromHours</span><span class="pl-kos">(</span><span class="pl-c1">10</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">SlidingExpiration</span> <span class="pl-c1">=</span> <span class="pl-c1">false</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">Cookie</span><span class="pl-kos">.</span><span class="pl-s1">SecurePolicy</span> <span class="pl-c1">=</span> <span class="pl-s1">webHostingEnvironment</span><span class="pl-kos">.</span><span class="pl-en">IsDevelopment</span><span class="pl-kos">(</span><span class="pl-kos">)</span> <span class="pl-c1">?</span> <span class="pl-s1">CookieSecurePolicy</span><span class="pl-kos">.</span><span class="pl-s1">None</span> <span class="pl-c1">:</span> <span class="pl-s1">CookieSecurePolicy</span><span class="pl-kos">.</span><span class="pl-s1">Always</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">Events</span><span class="pl-kos">.</span><span class="pl-s1">OnRedirectToAccessDenied</span> <span class="pl-c1">=</span> ctx <span class="pl-c1">=&gt;</span> <span class="pl-kos">{</span> <span class="pl-s1">ctx</span><span class="pl-kos">.</span><span class="pl-s1">Response</span><span class="pl-kos">.</span><span class="pl-s1">StatusCode</span> <span class="pl-c1">=</span> <span class="pl-s1">StatusCodes</span><span class="pl-kos">.</span><span class="pl-s1">Status403Forbidden</span><span class="pl-kos">;</span> <span class="pl-k">return</span> <span class="pl-s1">Task</span><span class="pl-kos">.</span><span class="pl-s1">CompletedTask</span><span class="pl-kos">;</span> <span class="pl-kos">}</span><span class="pl-kos">;</span> <span class="pl-kos">}</span><span class="pl-kos">)</span> <span class="pl-kos">.</span><span class="pl-en">AddOpenIdConnect</span><span class="pl-kos">(</span><span class="pl-s1">OpenIdConnectDefaults</span><span class="pl-kos">.</span><span class="pl-s1">AuthenticationScheme</span><span class="pl-kos">,</span> options <span class="pl-c1">=&gt;</span> <span class="pl-kos">{</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">Authority</span> <span class="pl-c1">=</span> <span class="pl-s1">authority</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">MetadataAddress</span> <span class="pl-c1">=</span> <span class="pl-s1">metadataAddress</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">ClientId</span> <span class="pl-c1">=</span> <span class="pl-s1">interactiveClientId</span><span class="pl-kos">;</span> <span class="pl-c">// "optimizely-web"</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">ClientSecret</span> <span class="pl-c1">=</span> <span class="pl-s1">interactiveClientSecret</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">RequireHttpsMetadata</span> <span class="pl-c1">=</span> <span class="pl-c1">false</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">ResponseType</span> <span class="pl-c1">=</span> <span class="pl-s">"code"</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">UsePkce</span> <span class="pl-c1">=</span> <span class="pl-c1">true</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">SaveTokens</span> <span class="pl-c1">=</span> <span class="pl-c1">true</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">GetClaimsFromUserInfoEndpoint</span> <span class="pl-c1">=</span> <span class="pl-c1">true</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">MapInboundClaims</span> <span class="pl-c1">=</span> <span class="pl-c1">false</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">CallbackPath</span> <span class="pl-c1">=</span> <span class="pl-s">"/signin-oidc"</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">SignedOutCallbackPath</span> <span class="pl-c1">=</span> <span class="pl-s">"/signout-callback-oidc"</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">Scope</span><span class="pl-kos">.</span><span class="pl-en">Clear</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">Scope</span><span class="pl-kos">.</span><span class="pl-en">Add</span><span class="pl-kos">(</span><span class="pl-s">"openid"</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">Scope</span><span class="pl-kos">.</span><span class="pl-en">Add</span><span class="pl-kos">(</span><span class="pl-s">"profile"</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">Scope</span><span class="pl-kos">.</span><span class="pl-en">Add</span><span class="pl-kos">(</span><span class="pl-s">"email"</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-s1">TokenValidationParameters</span> <span class="pl-c1">=</span> <span class="pl-k">new</span> <span class="pl-smi">TokenValidationParameters</span> <span class="pl-kos">{</span> <span class="pl-s1">NameClaimType</span> <span class="pl-c1">=</span> <span class="pl-s">"preferred_username"</span><span class="pl-kos">,</span> <span class="pl-s1">RoleClaimType</span> <span class="pl-c1">=</span> <span class="pl-s">"roles"</span> <span class="pl-kos">}</span><span class="pl-kos">;</span> <span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">;</span></pre> <div class="zeroclipboard-container">&nbsp;</div> </div> <p>PKCE (<code>UsePkce = true</code>) is enabled to meet current security best practices for public and confidential clients alike.&nbsp;<code>GetClaimsFromUserInfoEndpoint = true</code>&nbsp;ensures that profile claims (name, email) are populated even when they are not included in the ID token directly.</p> <hr /> <div class="markdown-heading"> <h2 class="heading-element">The userinfo endpoint</h2> </div> <p>Both authentication paths land on the same controller action &mdash; the only thing that changes is whether the&nbsp;<code>ClaimsPrincipal</code>&nbsp;was populated from a cookie session or from a validated bearer token:</p> <div class="highlight highlight-source-cs notranslate position-relative overflow-auto"> <pre><span class="pl-c">// Aspire.OptimizelyContentDeliveryAuth.Web/UserInformationController.cs</span> <span class="pl-kos">[</span><span class="pl-c1">ApiController</span><span class="pl-kos">]</span> <span class="pl-k">public</span> <span class="pl-k">class</span> <span class="pl-smi">UserInformationController</span> <span class="pl-c1">:</span> <span class="pl-smi">Controller</span> <span class="pl-kos">{</span> <span class="pl-kos">[</span><span class="pl-c1">AllowAnonymous</span><span class="pl-kos">]</span> <span class="pl-kos">[</span><span class="pl-c1">Route</span><span class="pl-kos">(</span><span class="pl-s">"login"</span><span class="pl-kos">)</span><span class="pl-kos">]</span> <span class="pl-k">public</span> <span class="pl-s1">IActionResult</span> <span class="pl-en">Login</span><span class="pl-kos">(</span><span class="pl-kos">[</span><span class="pl-c1">FromQuery</span><span class="pl-kos">]</span> <span class="pl-smi">string</span> <span class="pl-s1">returnUrl</span> <span class="pl-c1">=</span> <span class="pl-s">"/userinfo"</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-k">return</span> <span class="pl-s1">Challenge</span><span class="pl-kos">(</span> <span class="pl-k">new</span> <span class="pl-smi">AuthenticationProperties</span> <span class="pl-kos">{</span> <span class="pl-s1">RedirectUri</span> <span class="pl-c1">=</span> <span class="pl-s1">returnUrl</span> <span class="pl-kos">}</span><span class="pl-kos">,</span> <span class="pl-s1">OpenIdConnectDefaults</span><span class="pl-kos">.</span><span class="pl-s1">AuthenticationScheme</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-kos">}</span> <span class="pl-kos">[</span><span class="pl-c1">Authorize</span><span class="pl-kos">]</span> <span class="pl-kos">[</span><span class="pl-c1">HttpPost</span><span class="pl-kos">(</span><span class="pl-s">"logout"</span><span class="pl-kos">)</span><span class="pl-kos">]</span> <span class="pl-k">public</span> <span class="pl-s1">IActionResult</span> <span class="pl-en">Logout</span><span class="pl-kos">(</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-k">return</span> <span class="pl-s1">SignOut</span><span class="pl-kos">(</span> <span class="pl-k">new</span> <span class="pl-smi">AuthenticationProperties</span> <span class="pl-kos">{</span> <span class="pl-s1">RedirectUri</span> <span class="pl-c1">=</span> <span class="pl-s">"/"</span> <span class="pl-kos">}</span><span class="pl-kos">,</span> <span class="pl-s1">CookieAuthenticationDefaults</span><span class="pl-kos">.</span><span class="pl-s1">AuthenticationScheme</span><span class="pl-kos">,</span> <span class="pl-s1">OpenIdConnectDefaults</span><span class="pl-kos">.</span><span class="pl-s1">AuthenticationScheme</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-kos">}</span> <span class="pl-kos">[</span><span class="pl-c1">Authorize</span><span class="pl-kos">]</span> <span class="pl-kos">[</span><span class="pl-c1">Route</span><span class="pl-kos">(</span><span class="pl-s">"userinfo"</span><span class="pl-kos">)</span><span class="pl-kos">]</span> <span class="pl-k">public</span> <span class="pl-s1">IActionResult</span> <span class="pl-en">Get</span><span class="pl-kos">(</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-k">return</span> <span class="pl-k">new</span> <span class="pl-smi">JsonResult</span><span class="pl-kos">(</span><span class="pl-k">new</span> <span class="pl-kos">{</span> <span class="pl-s1">User</span><span class="pl-kos">.</span><span class="pl-s1">Identity</span><span class="pl-c1">?</span><span class="pl-kos">.</span><span class="pl-s1">Name</span><span class="pl-kos">,</span> <span class="pl-s1">AuthenticationType</span> <span class="pl-c1">=</span> <span class="pl-s1">User</span><span class="pl-kos">.</span><span class="pl-s1">Identity</span><span class="pl-c1">?</span><span class="pl-kos">.</span><span class="pl-s1">AuthenticationType</span><span class="pl-kos">,</span> <span class="pl-s1">Claims</span> <span class="pl-c1">=</span> <span class="pl-s1">User</span><span class="pl-kos">.</span><span class="pl-s1">Claims</span><span class="pl-kos">.</span><span class="pl-en">Select</span><span class="pl-kos">(</span>c <span class="pl-c1">=&gt;</span> <span class="pl-k">new</span> <span class="pl-kos">{</span> <span class="pl-s1">c</span><span class="pl-kos">.</span><span class="pl-s1">Type</span><span class="pl-kos">,</span> <span class="pl-s1">c</span><span class="pl-kos">.</span><span class="pl-s1">Value</span> <span class="pl-kos">}</span><span class="pl-kos">)</span> <span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-kos">}</span> <span class="pl-kos">}</span></pre> <div class="zeroclipboard-container">&nbsp;</div> </div> <p>The&nbsp;<code>[Authorize]</code>&nbsp;attribute on&nbsp;<code>Get()</code>&nbsp;is enough &mdash; the policy scheme handles routing to the right handler, and both eventually resolve a&nbsp;<code>ClaimsPrincipal</code>&nbsp;that satisfies the authorization requirement.</p> <hr /> <div class="markdown-heading"> <h2 class="heading-element">Interactive login flow</h2> </div> <div class="markdown-heading"> <h3 class="heading-element">How it works</h3> </div> <ol> <li>The browser opens&nbsp;<code>/login</code>.</li> <li>The&nbsp;<code>Login</code>&nbsp;action calls&nbsp;<code>Challenge</code>&nbsp;with the OIDC scheme, redirecting the browser to Keycloak's authorization endpoint.</li> <li>The user enters their credentials in Keycloak's login page.</li> <li>Keycloak redirects back to&nbsp;<code>/signin-oidc</code>&nbsp;with an authorization code.</li> <li>The OIDC middleware exchanges the code for tokens, fetches user info, builds the&nbsp;<code>ClaimsPrincipal</code>&nbsp;and issues a cookie.</li> <li>The browser is redirected to the original&nbsp;<code>returnUrl</code>&nbsp;(defaults to&nbsp;<code>/userinfo</code>).</li> </ol> <div class="markdown-heading"> <h3 class="heading-element">Test it with&nbsp;<code>login.http</code></h3> </div> <div class="highlight highlight-source-httpspec notranslate position-relative overflow-auto"> <pre><span class="pl-ii">@env = dev</span> <span class="pl-ii">### Interactive login through the web app</span> <span class="pl-ii"># Open this request in a browser. The app will challenge with OIDC</span> <span class="pl-ii"># and then redirect back to /userinfo.</span> <span class="pl-k">GET</span> {{<span class="pl-ii">web_base_url</span>}}<span class="pl-ii">/login?returnUrl=%2Fuserinfo</span> <span class="pl-ii">### Read user information from the authenticated browser session</span> <span class="pl-k">GET</span> {{<span class="pl-ii">web_base_url</span>}}<span class="pl-ii">/userinfo</span></pre> <div class="zeroclipboard-container">&nbsp;</div> </div> <p>Variables (<code>http-client.env.json</code>):</p> <div class="highlight highlight-source-json notranslate position-relative overflow-auto"> <pre>{ <span class="pl-ent">"dev"</span>: { <span class="pl-ent">"web_base_url"</span>: <span class="pl-s"><span class="pl-pds">"</span>https://localhost:5000<span class="pl-pds">"</span></span> } }</pre> <div class="zeroclipboard-container">&nbsp;</div> </div> <p>Demo credentials (local development only):</p> <ul> <li><strong>Username:</strong>&nbsp;<code>editor</code></li> <li><strong>Password:</strong>&nbsp;<code>Passw0rd!</code></li> </ul> <p>A successful response from&nbsp;<code>/userinfo</code>&nbsp;looks like:</p> <div class="highlight highlight-source-json notranslate position-relative overflow-auto"> <pre>{ <span class="pl-ent">"name"</span>: <span class="pl-s"><span class="pl-pds">"</span>editor<span class="pl-pds">"</span></span>, <span class="pl-ent">"authenticationType"</span>: <span class="pl-s"><span class="pl-pds">"</span>Cookies<span class="pl-pds">"</span></span>, <span class="pl-ent">"claims"</span>: [ { <span class="pl-ent">"type"</span>: <span class="pl-s"><span class="pl-pds">"</span>preferred_username<span class="pl-pds">"</span></span>, <span class="pl-ent">"value"</span>: <span class="pl-s"><span class="pl-pds">"</span>editor<span class="pl-pds">"</span></span> }, { <span class="pl-ent">"type"</span>: <span class="pl-s"><span class="pl-pds">"</span>email<span class="pl-pds">"</span></span>, <span class="pl-ent">"value"</span>: <span class="pl-s"><span class="pl-pds">"</span>editor@example.com<span class="pl-pds">"</span></span> } ] }</pre> <div class="zeroclipboard-container">&nbsp;</div> </div> <hr /> <div class="markdown-heading"> <h2 class="heading-element">Machine-to-machine (client credentials) flow</h2> </div> <div class="markdown-heading"> <h3 class="heading-element">How it works</h3> </div> <ol> <li>A service (or a developer testing with an HTTP client) requests an access token directly from Keycloak using the&nbsp;<code>client_credentials</code>&nbsp;grant.</li> <li>Keycloak validates the client ID and secret and returns a JWT access token.</li> <li>The service calls&nbsp;<code>GET /userinfo</code>&nbsp;with an&nbsp;<code>Authorization: Bearer &lt;token&gt;</code>&nbsp;header.</li> <li>The policy scheme detects the&nbsp;<code>Bearer</code>&nbsp;prefix and forwards authentication to the JWT Bearer handler.</li> <li>The handler validates the token signature, issuer and lifetime, then builds the&nbsp;<code>ClaimsPrincipal</code>&nbsp;from the token's claims.</li> </ol> <div class="markdown-heading"> <h3 class="heading-element">Test it with&nbsp;<code>machine-to-machine.http</code></h3> </div> <div class="highlight highlight-source-httpspec notranslate position-relative overflow-auto"> <pre><span class="pl-ii">@env = dev</span> <span class="pl-ii">### Step 1 &mdash; Request a client credentials token from Keycloak</span> <span class="pl-k">POST</span> {{<span class="pl-ii">keycloak_base_url</span>}}<span class="pl-ii">/token</span> <span class="pl-s"><span class="pl-v">Content-Type:</span> application/x-www-form-urlencoded</span> <span class="pl-ii">grant_type=client_credentials&amp;</span> <span class="pl-ii">client_id={{machine_client_id}}&amp;</span> <span class="pl-ii">client_secret={{machine_client_secret}}</span> <span class="pl-ii">### Step 2 &mdash; Call the userinfo endpoint with the bearer token</span> <span class="pl-k">GET</span> {{<span class="pl-ii">web_base_url</span>}}<span class="pl-ii">/userinfo</span> <span class="pl-s"><span class="pl-v">Authorization:</span> Bearer {{access_token}}</span></pre> <div class="zeroclipboard-container">&nbsp;</div> </div> <p>Variables (<code>http-client.env.json</code>):</p> <div class="highlight highlight-source-json notranslate position-relative overflow-auto"> <pre>{ <span class="pl-ent">"dev"</span>: { <span class="pl-ent">"web_base_url"</span>: <span class="pl-s"><span class="pl-pds">"</span>https://localhost:5000<span class="pl-pds">"</span></span>, <span class="pl-ent">"keycloak_base_url"</span>: <span class="pl-s"><span class="pl-pds">"</span>http://localhost:8080/realms/optimizely/protocol/openid-connect<span class="pl-pds">"</span></span>, <span class="pl-ent">"machine_client_id"</span>: <span class="pl-s"><span class="pl-pds">"</span>optimizely-api<span class="pl-pds">"</span></span>, <span class="pl-ent">"machine_client_secret"</span>: <span class="pl-s"><span class="pl-pds">"</span>&lt;see realm-export.json&gt;<span class="pl-pds">"</span></span> } }</pre> <div class="zeroclipboard-container">&nbsp;</div> </div> <blockquote> <p><strong>Note:</strong>&nbsp;If your HTTP client does not automatically capture&nbsp;<code>access_token</code>&nbsp;from the first response, copy the token value manually into the&nbsp;<code>Authorization</code>&nbsp;header of the second request.</p> </blockquote> <p>A successful response from&nbsp;<code>/userinfo</code>&nbsp;looks like:</p> <div class="highlight highlight-source-json notranslate position-relative overflow-auto"> <pre>{ <span class="pl-ent">"name"</span>: <span class="pl-s"><span class="pl-pds">"</span>service-account-optimizely-api<span class="pl-pds">"</span></span>, <span class="pl-ent">"authenticationType"</span>: <span class="pl-s"><span class="pl-pds">"</span>Bearer<span class="pl-pds">"</span></span>, <span class="pl-ent">"claims"</span>: [ { <span class="pl-ent">"type"</span>: <span class="pl-s"><span class="pl-pds">"</span>preferred_username<span class="pl-pds">"</span></span>, <span class="pl-ent">"value"</span>: <span class="pl-s"><span class="pl-pds">"</span>service-account-optimizely-api<span class="pl-pds">"</span></span> }, { <span class="pl-ent">"type"</span>: <span class="pl-s"><span class="pl-pds">"</span>azp<span class="pl-pds">"</span></span>, <span class="pl-ent">"value"</span>: <span class="pl-s"><span class="pl-pds">"</span>optimizely-api<span class="pl-pds">"</span></span> } ] }</pre> <div class="zeroclipboard-container">&nbsp;</div> </div> <hr /> <div class="markdown-heading"> <h2 class="heading-element">Keycloak realm configuration</h2> </div> <p>The realm is fully version-controlled in&nbsp;<code>realm-export.json</code>. On first start, Keycloak imports this file automatically &mdash; no admin UI setup is needed. The realm contains:</p> <table> <thead> <tr> <th>Resource</th> <th>Type</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>optimizely-web</code></td> <td>Public OIDC client</td> <td>Interactive browser login via PKCE authorization code flow</td> </tr> <tr> <td><code>optimizely-api</code></td> <td>Confidential client</td> <td>Machine-to-machine token requests via client credentials grant</td> </tr> <tr> <td><code>editor</code></td> <td>User</td> <td>Demo account for testing interactive login locally</td> </tr> </tbody> </table> <div class="markdown-heading"> <h3 class="heading-element"><code>optimizely-web</code>&nbsp;&mdash; public client</h3> </div> <ul> <li><strong>Grant type:</strong>&nbsp;Authorization code with PKCE</li> <li><strong>Redirect URI:</strong>&nbsp;<code>https://localhost:5000/signin-oidc</code></li> <li><strong>Post-logout redirect URI:</strong>&nbsp;<code>https://localhost:5000/signout-callback-oidc</code></li> <li><strong>Web origins:</strong>&nbsp;<code>https://localhost:5000</code></li> </ul> <div class="markdown-heading"> <h3 class="heading-element"><code>optimizely-api</code>&nbsp;&mdash; confidential client</h3> </div> <ul> <li><strong>Grant type:</strong>&nbsp;Client credentials</li> <li><strong>Service accounts enabled:</strong>&nbsp;yes</li> <li><strong>Secret:</strong>&nbsp;stored in&nbsp;<code>realm-export.json</code>&nbsp;and referenced in&nbsp;<code>http-client.env.json</code></li> </ul> <blockquote> <p><strong>Security note:</strong>&nbsp;The credentials in&nbsp;<code>realm-export.json</code>,&nbsp;<code>http-client.env.json</code>&nbsp;and&nbsp;<code>AppHost.cs</code>&nbsp;are intentionally hardcoded for local development convenience. They exist only to make the setup reproducible on a fresh clone. Never use these values in a shared, public, or production-adjacent environment. Replace passwords and client secrets with strong, unique values if you expose the environment beyond your local machine.</p> </blockquote> <hr /> <div class="markdown-heading"> <h2 class="heading-element">Prerequisites</h2> </div> <table> <thead> <tr> <th>Requirement</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>.NET 10 SDK</td> <td>Required by the&nbsp;<code>AppHost</code>&nbsp;project and Aspire tooling. Aspire's orchestration APIs target .NET 10.</td> </tr> <tr> <td>.NET 8 SDK</td> <td>Required by the&nbsp;<code>Web</code>&nbsp;project. Optimizely CMS 12 targets .NET 8, so both SDKs must be installed side by side.</td> </tr> <tr> <td>Docker Desktop</td> <td>For SQL Server and Keycloak containers</td> </tr> <tr> <td>ASP.NET Core HTTPS dev certificate</td> <td>Run&nbsp;<code>dotnet dev-certs https --trust</code>&nbsp;if not already trusted</td> </tr> </tbody> </table> <div class="markdown-heading"> <h2 class="heading-element">Starting the solution</h2> </div> <p>From the repository root:</p> <div class="highlight highlight-source-powershell notranslate position-relative overflow-auto"> <pre>dotnet run <span class="pl-k">--</span>project .\Aspire.OptimizelyContentDeliveryAuth.AppHost</pre> <div class="zeroclipboard-container">&nbsp;</div> </div> <p>Aspire starts SQL Server, Keycloak and the web application in the right order. The Aspire dashboard (<a href="http://localhost:15888/">http://localhost:15888</a>&nbsp;by default) shows the status of all resources and aggregates their logs.</p> <hr /> <div class="markdown-heading"> <h2 class="heading-element">Troubleshooting</h2> </div> <p><strong>Keycloak ignores the realm import</strong>&nbsp;Containers use persistent volumes, so stale state from a previous run may survive restarts. Remove the named Keycloak volume (<code>aspireoptimizelycontentdeliveryauth-keycloak</code>) in Docker Desktop or via&nbsp;<code>docker volume rm</code>&nbsp;and restart the AppHost.</p> <p><strong>Login redirects to the wrong URL</strong>&nbsp;Verify that the web application is running on&nbsp;<code>https://localhost:5000</code>&nbsp;and that the&nbsp;<code>optimizely-web</code>&nbsp;client in Keycloak still lists&nbsp;<code>https://localhost:5000/signin-oidc</code>&nbsp;as an allowed redirect URI.</p> <p><strong>Bearer token is rejected</strong>&nbsp;Confirm that the token was issued by the&nbsp;<code>optimizely</code>&nbsp;realm (check the&nbsp;<code>iss</code>&nbsp;claim) and that you requested it using the&nbsp;<code>optimizely-api</code>&nbsp;client with the&nbsp;<code>client_credentials</code> grant.</p> </div> https://world.optimizely.com/blogs/andreas-ylivainio-omvp/dates/2026/4/keycloak-authentication-with-optimizely-cms-12-and-.net-aspire Mon, 13 Apr 2026 07:35:45 GMT Blog post https://world.optimizely.com/blogs/andreas-ylivainio-omvp/dates/2026/2/using-scalar-with-optimizely-cms-in-.net-8 <h3>OpenAPI, Content Delivery API, and Modern API Documentation</h3> <p>Modern Optimizely CMS solutions are increasingly API-first. Whether you are building a headless frontend, integrating external services, or exposing internal platform APIs, having <strong>clear and discoverable API contracts</strong> is essential. With .NET 8, this becomes even more relevant, as the way API documentation is handled has subtly but importantly changed.</p> <p>This article shows how to combine <strong>OpenAPI</strong>, <strong>Scalar</strong>, and <strong>Optimizely CMS</strong> to create a clean, future-proof API documentation setup. We&rsquo;ll look at custom APIs, Optimizely Content Delivery, and how everything fits together in a single developer-friendly UI.</p> <p>A complete working example is available here:<br /><a class="decorated-link" title="Optimizely Scalar Content Delivery" href="https://github.com/andreas-valtech/OptimizelyScalarContentDelivery/">github.com/andreas-valtech/OptimizelyScalarContentDelivery</a></p> <hr /> <h2>Swagger UI, .NET 8, and What Actually Changed</h2> <p>When upgrading to .NET 8+, many teams notice that Swagger UI no longer appears automatically in new ASP.NET Core projects. This can feel like something has been removed, but in practice it reflects a deliberate architectural shift.</p> <p>In recent ASP.NET Core versions, Microsoft has separated <strong>OpenAPI document generation</strong> from <strong>API documentation user interfaces</strong>. The framework now focuses on producing a standards-compliant OpenAPI specification, while leaving the choice of UI entirely up to the application. Swagger UI is still fully supported via libraries such as Swashbuckle, but it is no longer assumed to be the default.</p> <p>This separation reinforces an important idea: <strong>OpenAPI is the contract, not the UI</strong>. Once that contract exists, it can be rendered using Swagger UI, Scalar, or any other compatible tool. For Optimizely CMS solutions&mdash;where custom APIs, content delivery, search, and external integrations often live side by side&mdash;this flexibility is a clear advantage.</p> <hr /> <h2>Generating OpenAPI in .NET 8</h2> <p>Swashbuckle remains the most common way to generate OpenAPI documents in ASP.NET Core.</p> <p>After adding the <code>Swashbuckle.AspNetCore</code> package, you can configure OpenAPI generation directly in <code>Startup.cs</code>:</p> <pre><code>public class Startup(IWebHostEnvironment webHostingEnvironment) { public void ConfigureServices(IServiceCollection services) {<br /> ... services.</code><code>AddCms(); // Content Delivery API services.AddContentDeliveryApi(options =&gt; { options.SiteDefinitionApiEnabled = true; }); // Content Delivery Search API services.AddContentSearchApi(options =&gt; { options.MaximumSearchResults = 10; }); // Swashbuckle services.AddEndpointsApiExplorer(); services.AddSwaggerGen(); } public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { ... app.UseSwagger(); app.UseSwaggerUI(); app.UseEndpoints(endpoints =&gt; { endpoints.MapContent(); // Maps both Content Delivery API and Commerce Content Delivery API endpoints.MapSwagger("/openapi/{documentName}.json", options =&gt; { options.OpenApiVersion = OpenApiSpecVersion.OpenApi3_1; }); endpoints.MapScalarApiReference(options =&gt; { options.WithTitle("Alloy Example API"); }); }); } }</code></pre> <p>At this stage, it is worth clarifying what is happening in the pipeline. The <code>MapSwagger()</code> call comes from Microsoft&rsquo;s OpenAPI support in ASP.NET Core and is responsible for exposing the generated OpenAPI document as JSON. It does not provide any user interface. Scalar is added separately and uses its <code>MapScalarApiReference()</code> extension method to build an API documentation UI on top of that contract. This includes all API controllers defined in the application, as well as any external OpenAPI (swagger.json) documents added to the project, such as those provided by Optimizely or other services. In this way, ASP.NET Core owns the generation of the OpenAPI specification, while Scalar is responsible for presenting both internal and external APIs in a single, unified view.</p> <hr /> <h2>Scalar as the API Documentation UI</h2> <p>Scalar is a modern OpenAPI UI that consumes the same OpenAPI JSON but presents it in a cleaner, faster, and more developer-focused way. Because Scalar only depends on the OpenAPI specification, it fits perfectly with the direction ASP.NET Core has taken.<br /><br />To set up scalar you can follow their getting started guide for ASP.NET Core here: <a href="https://scalar.com/products/api-references/integrations/aspnetcore/integration">https://scalar.com/products/api-references/integrations/aspnetcore/integration</a> or use my linked GitHub project for reference.</p> <p>Once Scalar is wired up, it automatically renders everything described in your OpenAPI document, including custom controllers, schemas, and authentication definitions.</p> <p>To confirm everything works, a simple controller is enough:</p> <pre><code> [ApiController] [Route("api/hello")] public class HelloController : ControllerBase { [HttpGet] public IActionResult Get() =&gt; Ok(new { message = "Hello from Optimizely + Scalar" }); } </code></pre> <p><br />This endpoint is auto-discovered, included in the OpenAPI document, and immediately visible in Scalar without any additional configuration.</p> <hr /> <h2>Bringing in Optimizely Content Delivery API</h2> <p>Optimizely provides official OpenAPI (swagger.json) definitions for its Content Delivery APIs. These can be downloaded from the Optimizely developer documentation:</p> <p><a class="decorated-link" href="https://docs.developers.optimizely.com/content-management-system/v1.5.0-content-delivery-api/reference/content-delivery-class-libraries-and-apis">https://docs.developers.optimizely.com/content-management-system/v1.5.0-content-delivery-api/reference/content-delivery-class-libraries-and-apis</a></p> <p>By adding these JSON files directly to your project and serving them as static OpenAPI documents, Scalar can display Optimizely&rsquo;s APIs alongside your own. This creates a single API surface where frontend and integration developers can explore both custom endpoints and content delivery endpoints in one place.</p> <p>The Content Delivery API is central to headless Optimizely solutions, exposing pages, blocks, and content structures as JSON. Documenting it explicitly makes content contracts clearer and reduces friction between backend and frontend teams.</p> <hr /> <h2>Content Management and Content Search APIs</h2> <p>In addition to content delivery, Optimizely&rsquo;s Content Management and Content Search APIs are often part of larger integrations and automation workflows. Including their OpenAPI definitions in the same documentation UI improves internal developer experience and makes search queries, filters, and response structures easier to reason about.</p> <p>Scalar handles multiple OpenAPI documents well, which makes it suitable as a lightweight internal API portal for Optimizely-based platforms.</p> <hr /> <h2>External APIs and a Unified API View</h2> <p>Many Optimizely solutions integrate with external services such as commerce platforms, DAM systems, or personalization engines. When those services provide OpenAPI definitions, they can be included alongside Optimizely and custom APIs, giving teams a single, consistent documentation experience.</p> <hr /> <h2>Example Repository</h2> <p>All of this is demonstrated in a runnable .NET 8 example here:<br /><a class="decorated-link" href="https://github.com/andreas-valtech/OptimizelyScalarContentDelivery/">https://github.com/andreas-valtech/OptimizelyScalarContentDelivery/</a></p> <hr /> <h2>What&rsquo;s Next: Authentication with Keycloak</h2> <p>This article focuses on unauthenticated APIs. In the next part of the series, we&rsquo;ll introduce authentication using <strong>Keycloak</strong>, covering OAuth 2.0 and OpenID Connect, securing both custom APIs and Optimizely Content Delivery endpoints, and documenting authentication flows in OpenAPI and Scalar.</p> <hr /> <h2>Closing Thoughts</h2> <p>By treating OpenAPI as the primary contract and using a modern UI like Scalar, Optimizely CMS solutions align naturally with the direction of ASP.NET Core and modern headless architectures. The result is clearer APIs, better developer experience, and a setup that scales well as platforms grow more composable.</p> https://world.optimizely.com/blogs/andreas-ylivainio-omvp/dates/2026/2/using-scalar-with-optimizely-cms-in-.net-8 Fri, 06 Feb 2026 09:59:32 GMT Blog post