Vulnerability in EPiServer.Forms
I am trying to integrate an episerver site with openID connect (against ID porten). Has anyone ever done this and can give me som advice? I have tried to follow this guide https://www.johanbostrom.se/blog/setting-up-episerver-to-use-openid-connect-with-identityserver, but couldn’t make it work. The solution is Episerver 10 WebForms.
MVC or WebForms shouldn't matter in this case since Owin is running on top of ASP.NET.
What part of the guide did you struggle with? You should basically just need the two first code blocks, the rest should be configuration in ID porten. You also need to do the prerequisites here https://world.episerver.com/documentation/Items/Developers-Guide/Episerver-CMS/9/Security/integrate-azure-ad-using-openid-connect/ (link from the guide you posted).
I think I have done all the prerequisites and configurations.
At some point, ID porten should hit. I thought that it would hit when I go to the url I provided in UrlLogin (/login)? Or do I have to manually redirect somewhere? Do the page /login need to exist? The way I configured it; if I go to /episerver, it complains about some unsufficient rights. If I go to /login, I get 404.
From what I can see, the Startup.cs never runs.
Does your startup look a bit like this:
public class Startup
If its never being excecuted then I am wondering if the OwinStartup attribute is missing?
Next to the great answers from the other folks on this thread, it is worth as well verifying that your Startup indeed is executed. We have multiple times seen a correctly annottated Startup class not starting, which were caused by the optimizeCompilations="true" being set. If we set it to false for just one startup, it seemed to pick it up on any concurrent startups.
I personally spent days on figuring this out! It later got documented by Episerver:
We always verify if Startup is executed by throwing an Exception inside of it, since your debugger most likely wont be attached early enough.
/Casper Aagaard Rasmussen
Make sure you have installed Microsoft.Owin.Host.SystemWeb. Otherwise your starup class won't be executed.
Hi Torunn, if you still have issues with OpenID Connect and Episerver, please have a look at my blog post that I did a while ago (the demo uses Alloy site) but we've implemented real customer cases with OpenID Connect using different Identity Providers.
Thank you for all the great answers! The issue was the optimizeCompilations="true" in web.config. When I set this to false, the startup class ran. I wouldn't have figured this out myself. Thanks again!