Authentication with Auth0

Vote:
 

Hi, 

Is anyone has experience in using Auth0 as authentication in CMS? 

I have implmented logic in Startup.cs. The authentication is failed and I got an exception "IDX21323: RequireNonce is '[PII of type 'System.Boolean' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated."

Anyone has experienced the same issue?

My code:
            // Configure Auth0 authentication
            app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                AuthenticationType = "Auth0",
                Authority = $"https://{auth0Domain}",
                ClientId = auth0ClientId,
                RedirectUri = auth0RedirectUri,
                PostLogoutRedirectUri = auth0PostLogoutRedirectUri,
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = false,
                    RoleClaimType = ClaimTypes.Role,
                    NameClaimType = ClaimTypes.Email
                },

            CookieManager = new SameSiteCookieManager(new SystemWebCookieManager()),

                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    RedirectToIdentityProvider = context =>
                    {
                        HandleMultiSiteReturnUrl(context);
                        .........
                    },

                    AuthenticationFailed = context =>
                    {
                        if (context.Exception.Message.Contains("IDX21323")){.....}

                    }

........

#290205
Oct 18, 2022 8:17
Vote:
 

Which version of Microsoft.Owin.Security.OpenIdConnect are you using?

If you have 4.1 or later you can set:

  • Set ResponseType = OpenIdConnectResponseType.Code,
  • Set RedeemCode = true

You also need a ClientSecret set.

You also need to set something on Scope.

Error messages around nonce are usually related to redirect issues resulting in another nonce set, or some problem setting the nonce cookie in the first place.

#291501
Nov 11, 2022 17:15
Vote:
 

I have implemented Auth0 With Optimizely 11 and used the following configuration 

        const string LogoutUrl = "/util/logout.aspx";
        private string domain = ConfigurationManager.AppSettings["auth0:Domain"];
        private string clientId = ConfigurationManager.AppSettings["auth0:ClientId"];
        private string redirectUri = ConfigurationManager.AppSettings["auth0:CallbackUrl"];
        private string postLogoutRedirectUri = ConfigurationManager.AppSettings["auth0:LogoutUrl"];

        public void Configuration(IAppBuilder app)
        {
            // Add CMS integration for ASP.NET Identity
            app.AddCmsAspNetIdentity<ApplicationUser>();

            // Set Cookies as default authentication type
            app.SetDefaultSignInAsAuthenticationType(OpenIdConnectAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = OpenIdConnectAuthenticationDefaults.AuthenticationType
            });

            app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                AuthenticationType = "Auth0",
                Authority = $"https://{domain}",
                ClientId = clientId,
                RedirectUri = redirectUri,
                PostLogoutRedirectUri = postLogoutRedirectUri,
                ResponseType = OpenIdConnectResponseType.CodeIdToken,
                ResponseMode = OpenIdConnectResponseMode.FormPost,
                Scope = "openid profile email",
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = false,
                    NameClaimType = ClaimTypes.Name, // Or "preferred_username",
                    RoleClaimType = ClaimTypes.Role
                },
                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    AuthenticationFailed = context =>
                    {
                        context.HandleResponse();
                        context.Response.Write(context.Exception.Message);
                        return Task.FromResult(0);
                    },
                    RedirectToIdentityProvider = notification =>
                    {
                        // Here you can change the return uri based on multisite
                        HandleMultiSiteReturnUrl(notification);

                        if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
                        {
                            var logoutUri = $"https://{domain}/v2/logout?client_id={clientId}";

                            var postLogoutUri = notification.ProtocolMessage.PostLogoutRedirectUri;
                            if (!string.IsNullOrEmpty(postLogoutUri))
                            {
                                if (postLogoutUri.StartsWith("/"))
                                {
                                    // transform to absolute
                                    var request = notification.Request;
                                    postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
                                }
                                logoutUri += $"&returnTo={Uri.EscapeDataString(postLogoutUri)}";
                            }

                            notification.Response.Redirect(logoutUri);
                            notification.HandleResponse();
                        }

                        // To avoid a redirect loop to the federation server send 403 
                        // when user is authenticated but does not have access
                        if (notification.OwinContext.Response.StatusCode == 401 &&
                            notification.OwinContext.Authentication.User.Identity.IsAuthenticated)
                        {
                            notification.OwinContext.Response.StatusCode = 403;
                            notification.HandleResponse();
                        }

                        return Task.FromResult(0);
                    },
                    SecurityTokenValidated = (ctx) =>
                    {
                        var redirectUri = new Uri(ctx.AuthenticationTicket.Properties.RedirectUri,
                            UriKind.RelativeOrAbsolute);
                        if (redirectUri.IsAbsoluteUri)
                        {
                            ctx.AuthenticationTicket.Properties.RedirectUri = redirectUri.PathAndQuery;
                        }

                        var fullName = ctx.AuthenticationTicket.Identity.Claims.ToList().SingleOrDefault(x =>
                            x.Type == "name"
                        ).Value.Split(' ');

                        ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Name, fullName[0], ClaimValueTypes.String));

                        // Storing role as SSO in claims dictionary. Useful when logging out user.
                        ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "SSO"));
						
						// Adding user to WebAdmins here ideally should be done via Claims but Just POC 
                        ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "WebAdmins"));

                        //Sync user and the roles to EPiServer in the background
                        ServiceLocator.Current.GetInstance<Auth0SynchronizingUserService>()
                            .SynchronizeAsync(ctx.AuthenticationTicket.Identity);

                        return Task.FromResult(0);
                    }
                }
            });

            app.UseStageMarker(PipelineStage.Authenticate);

            //Remap logout to a federated logout
            app.Map(LogoutUrl, map =>
            {
                map.Run(ctx =>
                {
                    ctx.Authentication.SignOut();
                    return Task.FromResult(0);
                });
            });

            // If the application throws an antiforgery token exception like “AntiForgeryToken: A Claim of Type NameIdentifier or IdentityProvider Was Not Present on Provided ClaimsIdentity”
            AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;


        }
#291504
Nov 11, 2022 18:48
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.