London Dev Meetup Rescheduled! Due to unavoidable reasons, the event has been moved to 21st May. Speakers remain the same—any changes will be communicated. Seats are limited—register here to secure your spot!

AI OnAI Off

CMS + CMP Publishing integration returns a 403 unauthorized response when previewing

Eric Petersson
Eric Petersson
Vote:
 

Hi!

We are currently setting up a CMS and CMP intrgration for my client's need for publishing between the varioys systems. For this we are setting up the CMP platform for our local development (https://localhost:58603/) environment.

We are following the provided documentation for this here: CMS + CMP publishing integration

But we seem to face somekind of 403 unauthorized response between the integration when trying to preview the content in the CMP edit mode. It seems to related to the iframe embedment between the two environments, but we have tried various settings for allowing the localhost environment communicate properly with the https://cmp.optimizely.com/ 

The documentation states these kind of issues like setting the X-Frame-Options and other third party cookies settings in the browser but the 403 response is consistent in the main preview frame in the CMP but not when trying to edit some content, such as the all properties mode.

Here are some settings we have tried on our side:

  public void ConfigureServices(IServiceCollection services)
  {
      IMvcBuilder builder = services.AddRazorPages();

      if (_webHostingEnvironment.IsDevelopment())
      {
          // Cmp service credentials for development
          services.Configure<CmsServiceOptions>(o => {
              o.AddDevelopmentSigningCredentials();
          });
      } 
      else
      {
          services.AddCmsCloudPlatformSupport(_configuration);
      }

  // Allow the quick editor to be embedded into CMP via an iframe
  services.AddAntiforgery(options =>
  {
      options.Cookie.SameSite = SameSiteMode.None;
      options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
      options.SuppressXFrameOptionsHeader = false;
  });

  services.Configure<CookiePolicyOptions>(options =>
  {
      options.MinimumSameSitePolicy = SameSiteMode.None;
  });

 services.AddCors(options =>
 {
     options.AddPolicy("AllowAll", builder =>
     {
         builder.AllowAnyOrigin()
                .AllowAnyMethod()
                .AllowAnyHeader();
     });
 });

 public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IContentEvents contentEvents)
 {
  app.UseStaticFiles();
  app.UseRouting();
  app.UseCors("AllowAll");
  app.UseAuthentication();
  app.UseCmsCmpPublishingPreviewLinks();
  app.UseAuthorization();

  app.Use(async (context, next) => { context.Response.Headers["X-Frame-Options"] = "ALLOW-FROM https://cmp.optimizely.com"; await next(); });

}

 

 

The preview of the content does not return a valid response in the preview of the content:

 

The Edit Page seems to work fine in the Preview mode in the CMP:

 

 

#336358
Edited, Feb 03, 2025 6:39
Eric Petersson
Eric Petersson
Vote:
 

In the .UseCmsCmpPublishingPreviewLinks provided by the Optimizely.Cms.Cmp.Publishing.dll there seems to be this usage of the setup for communicating via the CMS and the CMP platform. Why would the preview token fail in such instance and return a 403?

We are using ngrok and have provided the development signatures as stated in the documentation as well

 

#336360
Feb 03, 2025 6:46
Tung Tran
Tung Tran
Vote:
 

Hi Eric, 

 

I'm having the same issue. Have you found a solution yet?

 

Thanks,

Tung

#337994
May 02, 2025 10:23
Eric Petersson
Eric Petersson
Vote:
 

Hi, yes we ended up recreating the entire Apps and Integration setup in the CMP to the CMS integration since we 403 status occurred somewhere between the CMP and the CMS token evaluation and refused to delete the "wrong token".

Don't really know why this token evaluation in our local environment did not end up well but since the new creation we have not had the issue locally any longer.

Hope it helps for you as well!

#337995
May 02, 2025 10:36
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.