Vulnerability in EPiServer.Forms
We have Azure AD set up using the standard setup https://world.episerver.com/documentation/developer-guides/CMS/security/integrate-azure-ad-using-openid-connect/ and we have our Front End Users set up using Asp.NET Identity. This is all working fine but how are we supposed to setup content approvals?
At the moment the selection list for users/groups is only showing our asp.net identity users, how is this supposed to list Azure AD users as that's where our CMS editors are coming from?
As far as I was aware users are cached in a table in SQL when they first log in (along with their claims) to allow selection in the UI. Has anyone ever logged in via Azure AD? Can't remember the table name but I am sure you can find it :)
Hi David, yes I looked in to the code and saw the User and Group syncronization classes, we also have the code
Within the UseOpenIdConnectAuthentication code for our login.
I've checked the [SJA_Development_Episerver].[dbo].[AspNetUsers] but I can't see any of the AzureAD users in there. We use Asp.NET Identity for the front end of the site so have both configured in our startus.cs class. We see all the front end user logins but nothing seem to either being in the table or in the user admin UI.
David this seems to be an issue affecting others https://world.episerver.com/forum/developer-forum/-Episerver-75-CMS/Thread-Container/2018/11/tag-user-in-project-comment-not-working-when-using-external-authentication-provider/?pageIndex=1#reply
I've seen that the users are in the [tblSynchedUser] table but they aren't appearing in some of the more modern UI users pickers such as project comments and content approvals
I've dug around to hell in the assemblies and tracked through the NotificationUserStore and the problem seems to be around IQueryableNotificationUsers
This is the service interface that gets the users and is implemented by both AspNetIdentitySecurityEntityProvider and DefaultSynchronizedUsersRepository and when getting the IQueryableNotificationUsers service this seems to be coming back as the AspNetIdentitySecurityEntityProvider which is returning the wrong users. I need to swap it but the DefaultSynchronizedUsersRepository seems to be an internal only class.
@David is there any configuration you know of that can sort this out, I'm so close but just need this last step?
I think it's a bug, I've posted a work around here https://world.episerver.com/blogs/scott-reed/dates/2018/11/working-around-iqueryablenotificationusers-when-using-external-claims-based-cms-users/
Thanks for posting your work around Scott :)! And thanks for raising as a bug to bring it to dev support's attention!
Thanks David forf your help, I think if we were just able to make the DefaultSynchronizedUsersRepository public then developers can register it in the dependency configuration and even extend it if needed, either way the documentation on the security section should be updated so users know if the future how to set it up whatever way you guys go.
David/Scott, was this considered to be an official bug? If so, is there a planned fix?
I have some posts on the need for customizing this as well.
(there's another link inside there as well...)
Would be great if more people laid pressure.
@Erik I added it to the bugs area of the forum and I think David raised it offically. No word on it tho
Sorry Scott, I thought you raised it as a bug already...
Apologies in had only raised it before we said in the https://world.episerver.com/forum/developer-forum/Problems-and-bugs/ section of the forum not in the support portal.