Calling all developers! We invite you to provide your input on Feature Experimentation by completing this brief survey.

 

Mark Stott
Dec 9, 2024
  337
(4 votes)

Opti ID with Secure Cookies And Third Party AddOns

Opti ID has revolutionised access to the Optimizely One suite and is now the preferred authentication method on all PAAS CMS websites that I build.  However there are a couple of gotchas that always need to be taken care, outlined below are the solutions to both.

Secure Cookies

Any penetration test that you perform on your website will always advise that your cookies are set to be Secure, HTTP Only with a SameSite mode of Strict.  Setting these is simple enough until you realise that the Opti ID cookies are third party and therefore for need a SameSite mode of None.  If you have used Microsoft Entra (Formerly Azure AD) as the authentication method for a CMS, then this problem will be very familiar to you.

The challenge we have is:

  • We don't want all cookies to have a SameSite mode of None
  • Optimizely cookies are not in our direct control
  • Writing verbose custom cookie code everywhere is messy

In the following solution I have used the app.UseCookiePolicy(...) method to set all of the cookies to be Secure, Http Only with a default SameSite mode of None by default.  I then provide a handler for the OnAppendCookie event that will set cookies to use a SameSite mode of Strict provided they do not match one of the following cookie name patterns:

  • oid- : These are cookies which Opti ID uses for authentication
  • .AspNetCore : These are cookies NET Core uses for Authentication
public static IApplicationBuilder UseSecureCookies(this IApplicationBuilder app)
{
    // Set the default cookie policy
    app.UseCookiePolicy(new CookiePolicyOptions
    {
        HttpOnly = HttpOnlyPolicy.Always,
        Secure = CookieSecurePolicy.Always,
        MinimumSameSitePolicy = SameSiteMode.None,
        OnAppendCookie = context =>
        {
            if (!context.CookieName.StartsWith("oid-") &&
                !context.CookieName.StartsWith(".AspNetCore"))
            {
                // Any cookie that is not an authentication cookie should have a SameSite mode of Strict
                context.CookieOptions.SameSite = SameSiteMode.Strict;
            }
        }
    });

    return app;
}

Configuring AddOns To Use Opti ID

In Optimizely CMS 11, dependency setup relied upon Initialisation Modules.  In CMS 12 and .NET core, all of this is now handled in Startup.cs. Some commonly used AddOns include a service extension that is intended to be consumed within a startup.cs. Some go as far as to provide a custom authorization policy so that you can customise access to the AddOn to specific roles rather than granting full admin access to the CMS for users who just need that functionality. Here are a few AddOns and the roles that you might want to use:

  • Stott Security - CmsAdmins, SecurityAdmins, DataAnalytics
  • Stott Robots Handlers - CmsAdmins, SeoAdmins
  • Geta NotFound Handler - CmsAdmins, SeoAdmins
  • Geta Sitemaps - CmsAdmins, SeoAdmins

Here is the challenge: These modules will not allow you to access them when using Opti Id unless you specify the Opti ID SchemeName in the authorizarion policy for each AddOn.

Take this configuration for the Stott Security AddOn as an example; this AddOn allows you to segment the data for the AddOn into a separate database and it allows you to define an authorization policy.  In this scenario it is a simple matter of making sure the Opti ID Scheme Name is added to the policy:

public static IServiceCollection AddSecurityAddOn(this IServiceCollection services)
{
    services.AddStottSecurity(
        options =>
        {
            options.ConnectionStringName = "EPiServerDB";
        },
        authorization =>
        {
            authorization.AddPolicy(CspConstants.AuthorizationPolicy, policy =>
            {
                // Use the Opti ID scheme Name
                policy.AddAuthenticationSchemes(OptimizelyIdentityDefaults.SchemeName);
                policy.RequireRole(Roles.CmsAdmins, "SecurityAdmins");
            });
        });

    return services;
}

Service Collection Extension Pattern

In both of these examples above, I am following the Service Collection Extension Pattern.  I highly recomment this pattern as it allows you to modularise your configuration code and to keep your startup.cs clean and easy to understand or rearrange.  

Dec 09, 2024

Comments

Please login to comment.
Latest blogs
Optimizely Content Graph on mobile application

CG everywhere! I pull schema from our default index https://cg.optimizely.com/app/graphiql?auth=eBrGunULiC5TziTCtiOLEmov2LijBf30obh0KmhcBlyTktGZ in...

Cuong Nguyen Dinh | Jan 20, 2025

Image Analyzer with AI Assistant for Optimizely

The Smart Image Analyzer is a new feature in the Epicweb AI Assistant for Optimizely CMS that automates the management of image metadata, such as...

Luc Gosso (MVP) | Jan 16, 2025 | Syndicated blog

How to: create Decimal metafield with custom precision

If you are using catalog system, the way of creating metafields are easy – in fact, you can forget about “metafields”, all you should be using is t...

Quan Mai | Jan 16, 2025 | Syndicated blog

Level Up with Optimizely's Newly Relaunched Certifications!

We're thrilled to announce the relaunch of our Optimizely Certifications—designed to help partners, customers, and developers redefine what it mean...

Satata Satez | Jan 14, 2025