We have a setup with Federated Security with OWIN towards ADFS.If the browser session get a timeout and the edit performs any editing activity EPiServer tries to re authenticate towards ADFS via AJAX.Then we get the following error in the browser console:"No 'Access-Control-Allow-Origin' header is present on the requested resource."
Does any one know how to add this CORS header?
And see if that helps.
Thanks for the tip!
I have tried but not succeded, but will try again when I have time to dig some more.
Check out this blogpost, it might be helpful:
I don't get any issues with authentication though.
I have not had time too look at this yet but hopefully I will soon.
Has anyone solved this issue yet? Is it a flaw in episerver or am I doing something wrong?
My thoughts:The problem is probably not CORS. Even if support for CORS is added the initial AJAX request will get a redirect to the ADFS server trying to reauthenticate the user. The redirect returns html when the initial AJAX request is waiting for it's json result. This produces an error and the user will not be reauthenticated. Only way to be reauthenticated in edit mode is to press a button that is not using AJAX or reload the page. I'm not an expert in federated security but since episerver has an example of how to use federated security with OWIN one would think that this wouldn't be an issue.
I am also having this problem.
Anyone solved it?
Following this thread, also having the problem.
When talking Episerver native support for Federated Security it is always by using OWIN middleware.
ADFS is a product of which multiple versions exist. If you are using an older one it's probably easiest to get it running with Epi using the WS-Federation specification and the OWIN package Microsoft.Owin.Security.WsFederation. WS-Federation is more relaxed than OIDC security wise and it is possible to "replay" login flows and get impersonation support in an application. This can't be done with OIDC.
ADFS 2016 has support OpenID Connect (OIDC). OIDC is a more modern and more secure specification and with Epi you would use Microsoft.Owin.Security.OpenIdConnect. It should be noted that this package isn't fully OIDC compliant and only support form_post response mode and id_token validation. You can't easily use a hybrid flow with just "code" and backchannel or query mode instead of form_post. It's unclear if this will be introduced in an update but all things mentioned are in place for .NET Core 2.0 without any external packages needed so I guess that's where MS focused their efforts.
OIDC has standardized ways of handling expiry. Silent renewal or token refresh depening on if you're on the front or backend. You can also also check session and do a full signin flow in an iframe given that the Content Security Policies on the ADFS view response allows it.
If anyone stumbles upon this, here's an update.
Have a look at https://github.com/IdentityServer/IdentityServer3/issues/2424#issuecomment-172508910
UseTokenLifetime = false,
Also, the episerver code sample to implement openid connect doesn't play nice with invalidated sessions and the ajax calls in edit-mode, which would suggest you add a statement to the OWIN-middleware to handle ajax calls properly return a 401 instead of 302 redirect to the identityserver.
Notifications = new OpenIdConnectAuthenticationNotifications
RedirectToIdentityProvider = context =>
if (context.OwinContext.Response.StatusCode == 401 && context.Request.Headers["X-Requested-With"] == "XMLHttpRequest")
We released a fix in CMS UI 11.1.1 that will take you to the logout/relogin screen. Since the authentication can be on another domain that way was the only way to ensure multiple redirects would work properly.
Strange, i was still getting that error in CMS.UI.11.2.0 when the identityserver is on another domain. However, changing the Startup.cs as previously explained works to properly trigger the reauthentication popup.
Yes you need to change Startup.cs. I see we haven't updated the docs for this yet so we'll just have to do that