AI OnAI Off
Which version of Microsoft.Owin.Security.OpenIdConnect are you using?
If you have 4.1 or later you can set:
You also need a ClientSecret set.
You also need to set something on Scope.
Error messages around nonce are usually related to redirect issues resulting in another nonce set, or some problem setting the nonce cookie in the first place.
I have implemented Auth0 With Optimizely 11 and used the following configuration
const string LogoutUrl = "/util/logout.aspx";
private string domain = ConfigurationManager.AppSettings["auth0:Domain"];
private string clientId = ConfigurationManager.AppSettings["auth0:ClientId"];
private string redirectUri = ConfigurationManager.AppSettings["auth0:CallbackUrl"];
private string postLogoutRedirectUri = ConfigurationManager.AppSettings["auth0:LogoutUrl"];
public void Configuration(IAppBuilder app)
{
// Add CMS integration for ASP.NET Identity
app.AddCmsAspNetIdentity<ApplicationUser>();
// Set Cookies as default authentication type
app.SetDefaultSignInAsAuthenticationType(OpenIdConnectAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = OpenIdConnectAuthenticationDefaults.AuthenticationType
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "Auth0",
Authority = $"https://{domain}",
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = postLogoutRedirectUri,
ResponseType = OpenIdConnectResponseType.CodeIdToken,
ResponseMode = OpenIdConnectResponseMode.FormPost,
Scope = "openid profile email",
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
NameClaimType = ClaimTypes.Name, // Or "preferred_username",
RoleClaimType = ClaimTypes.Role
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Write(context.Exception.Message);
return Task.FromResult(0);
},
RedirectToIdentityProvider = notification =>
{
// Here you can change the return uri based on multisite
HandleMultiSiteReturnUrl(notification);
if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
{
var logoutUri = $"https://{domain}/v2/logout?client_id={clientId}";
var postLogoutUri = notification.ProtocolMessage.PostLogoutRedirectUri;
if (!string.IsNullOrEmpty(postLogoutUri))
{
if (postLogoutUri.StartsWith("/"))
{
// transform to absolute
var request = notification.Request;
postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
}
logoutUri += $"&returnTo={Uri.EscapeDataString(postLogoutUri)}";
}
notification.Response.Redirect(logoutUri);
notification.HandleResponse();
}
// To avoid a redirect loop to the federation server send 403
// when user is authenticated but does not have access
if (notification.OwinContext.Response.StatusCode == 401 &&
notification.OwinContext.Authentication.User.Identity.IsAuthenticated)
{
notification.OwinContext.Response.StatusCode = 403;
notification.HandleResponse();
}
return Task.FromResult(0);
},
SecurityTokenValidated = (ctx) =>
{
var redirectUri = new Uri(ctx.AuthenticationTicket.Properties.RedirectUri,
UriKind.RelativeOrAbsolute);
if (redirectUri.IsAbsoluteUri)
{
ctx.AuthenticationTicket.Properties.RedirectUri = redirectUri.PathAndQuery;
}
var fullName = ctx.AuthenticationTicket.Identity.Claims.ToList().SingleOrDefault(x =>
x.Type == "name"
).Value.Split(' ');
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Name, fullName[0], ClaimValueTypes.String));
// Storing role as SSO in claims dictionary. Useful when logging out user.
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "SSO"));
// Adding user to WebAdmins here ideally should be done via Claims but Just POC
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "WebAdmins"));
//Sync user and the roles to EPiServer in the background
ServiceLocator.Current.GetInstance<Auth0SynchronizingUserService>()
.SynchronizeAsync(ctx.AuthenticationTicket.Identity);
return Task.FromResult(0);
}
}
});
app.UseStageMarker(PipelineStage.Authenticate);
//Remap logout to a federated logout
app.Map(LogoutUrl, map =>
{
map.Run(ctx =>
{
ctx.Authentication.SignOut();
return Task.FromResult(0);
});
});
// If the application throws an antiforgery token exception like “AntiForgeryToken: A Claim of Type NameIdentifier or IdentityProvider Was Not Present on Provided ClaimsIdentity”
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;
}
Hi,
Is anyone has experience in using Auth0 as authentication in CMS?
I have implmented logic in Startup.cs. The authentication is failed and I got an exception "IDX21323: RequireNonce is '[PII of type 'System.Boolean' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated."
Anyone has experienced the same issue?
My code:
// Configure Auth0 authentication
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "Auth0",
Authority = $"https://{auth0Domain}",
ClientId = auth0ClientId,
RedirectUri = auth0RedirectUri,
PostLogoutRedirectUri = auth0PostLogoutRedirectUri,
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
RoleClaimType = ClaimTypes.Role,
NameClaimType = ClaimTypes.Email
},
CookieManager = new SameSiteCookieManager(new SystemWebCookieManager()),
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = context =>
{
HandleMultiSiteReturnUrl(context);
.........
},
AuthenticationFailed = context =>
{
if (context.Exception.Message.Contains("IDX21323")){.....}
}
........