Hi Torunn
You still have the issue?
Are you using the owin implementation and have followed the instructions https://world.episerver.com/documentation/developer-guides/commerce/security/support-for-openid-connect-in-episerver-commerce/?
Where are your editors and admins located, are they not in same AD endusers?
Hi!
This is an external identity provider. Normally, the users log in with the sqlmembershipprovider. Since I had to remove the membership provider to be able to use the openidConnect, the only way to log in is through this external service.
This is not a commerce solution.
Hello Torunn
Its possible to configure multiple identity providers for your solution. The following links are useful to find out how:
David
Hi!
I managed to get this working locally. But in staging I get this error: EPiServer.Web.RoutingUrlRewriteModule: Url is not valid for rewrite. Returning URL /Util/login.aspx?ReturnUrl...
Any idea what I am doing wrong?
Hi!
So I've gotten past the problem above.
What I really want, is to keep the regular episerver login, but have a openidconnect login for end users that should not log in to episerver.
Current status, is that I have managed to have two separate logins. I can log in with openidconnect, and I can log in to episerver with username and password. The latter one is solved by manually logging in the user.
EPiServer.Security.PrincipalInfo.CurrentPrincipal = EPiServer.Security.PrincipalInfo.CreatePrincipal(username);
System.Web.Security.FormsAuthentication.SetAuthCookie(username, true);
The regular login form doesn't work, even though I have setup up the multiplexing membership/roleprovider in web.config and <authentication> to forms. When I log in with the custom code, I can't find any of the roles or users. I can create new ones, but they are of type "EPi_AspNetIdentityUserProvider".
Another problem, is that it doesn't always redirect me to the IdentityServer. Sometimes it takes me to the regular epi login page.
My startup.cs looks like this:
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
app.AddCmsAspNetIdentity<ApplicationUser>();
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
//Open id authentication
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = OicClientId,
Authority = OicAuthority,
PostLogoutRedirectUri = OicPostLogoutRedirectUri,
ResponseType = OicResponseType,
Scope = OicScopes,
RequireHttpsMetadata = false,
RedirectUri = redirectUri,
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
NameClaimType = ClaimTypes.NameIdentifier,
RoleClaimType = ClaimTypes.Role
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Write(context.Exception.Message);
return Task.FromResult(0);
},
RedirectToIdentityProvider = context =>
{
if (context.ProtocolMessage.RedirectUri == null)
{
var currentUrl = SiteDefinition.Current.SiteUrl;
context.ProtocolMessage.RedirectUri = new UriBuilder(
currentUrl.Scheme,
currentUrl.Host,
currentUrl.Port,
HttpContext.Current.Request.Url.AbsolutePath).ToString();
}
//Unathorized
if (context.OwinContext.Response.StatusCode == 401 && context.OwinContext.Authentication.User.Identity.IsAuthenticated)
{
context.OwinContext.Response.StatusCode = 403;
context.HandleResponse();
}
return Task.FromResult(0);
},
SecurityTokenValidated = ctx =>
{
var redirectUri = new Uri(ctx.AuthenticationTicket.Properties.RedirectUri,
UriKind.RelativeOrAbsolute);
if (redirectUri.IsAbsoluteUri)
ctx.AuthenticationTicket.Properties.RedirectUri = redirectUri.PathAndQuery;
ServiceLocator.Current.GetInstance<OicSynchronizingUserService>()
.SynchronizeAsync(ctx.AuthenticationTicket.Identity);
Logger.Current.LogDebug("Synchronizing: " + ctx.AuthenticationTicket.Identity.IsAuthenticated + ", " + ctx.AuthenticationTicket.Identity.RoleClaimType);
return Task.FromResult(0);
},
SecurityTokenReceived = ctx =>
{
return Task.FromResult(0);
}
}
});
app.UseStageMarker(PipelineStage.Authenticate);
app.Map(UrlLogin, config =>
{
config.Run(ctx =>
{
if (ctx.Authentication.User == null || !ctx.Authentication.User.Identity.IsAuthenticated)
ctx.Response.StatusCode = 401;
else
ctx.Response.Redirect("/");
return Task.FromResult(0);
});
});
app.Map(UrlLogout, config =>
{
config.Run(ctx =>
{
ctx.Authentication.SignOut();
return Task.FromResult(0);
});
});
//Tell antiforgery to use the name claim
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;
The solution is to have AspNetIdentity for editor/admin login, and OpenIdConnect for end users:
I used this for migrating users from SqlServer to AspNetIdentity:
https://gist.github.com/khurramkhang/f9110994e6dd771db87e0e26a394c557
Hi!
Is it possible to have some kind of separate login for admin users in episerver, when using OpenIdConnect? We only want the OpenIdConnect for the end users, not editors or admins.