CMS12 - Authentication by OpenID Connect - AccessDenied for /Episerver url

Vote:
 

Hello all,

I am trying to setup OpenIdConnect to connect to an Azure environment to authenticate my localhost cms.

I am following the main example provided by Optimizely (with some tweaking for my specific Azure environment):

https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/integrate-azure-ad-using-openid-connect

Now the problem was after accessing "https://localhost:8001/episerver" and logged in, I get redirected to /Account/AccessDenied?ReturnUrl=%2Fepiserver.

However, if I access "https://localhost:8001/episerver/cms", there's no problem, I can login without any issues.

I tried setuping the OpenIdConnect in a bare-bone CMS 12 project and got the same behavior. Here's the whole startup class:

public class Startup
    {
        private readonly IWebHostEnvironment _webHostingEnvironment;
        private readonly IConfiguration _configuration;

        public Startup(IWebHostEnvironment webHostingEnvironment, IConfiguration configuration)
        {
            _webHostingEnvironment = webHostingEnvironment;
            _configuration = configuration;
        }

        public void ConfigureServices(IServiceCollection services)
        {
            if (_webHostingEnvironment.IsDevelopment())
            {
                //Add development configuration
            }

            services.AddTransient<IPageService, PageService>();
            services.AddTransient<ISearchService, SearchService>();
            services.AddTransient<ISiteContext, SiteContext>();

            services.AddMvc();
            services.AddCms();//.AddCmsAspNetIdentity<ApplicationUser>();
            services.AddFind();

            services.ConfigureApplicationCookie(options =>
            {
                options.LoginPath = "/util/Login";
            });
            
            
            services
                .AddAuthentication(options =>
                {
                    options.DefaultAuthenticateScheme = "azure-cookie";
                    options.DefaultChallengeScheme = "azure";
                })
                .AddCookie("azure-cookie", options =>
                {
                    options.Events.OnSignedIn = async ctx =>
                    {
                        if (ctx.Principal?.Identity is ClaimsIdentity claimsIdentity)
                        {
                            // Syncs user and roles so they are available to the CMS
                            var synchronizingUserService = ctx
                                .HttpContext
                                .RequestServices
                                .GetRequiredService<ISynchronizingUserService>();

                            await synchronizingUserService.SynchronizeAsync(claimsIdentity);
                        }
                    };
                })
                .AddOpenIdConnect("azure", options =>
                {
                    options.SignInScheme = "azure-cookie";
                    options.SignOutScheme = "azure-cookie";
                    options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
                    options.CallbackPath = "/callback";
                    options.ClientSecret = _configuration.GetValue<string>("OpenId_ClientSecret");

                    options.Authority = string.Format(CultureInfo.InvariantCulture, _configuration.GetValue<string>("OpenId_InstanceId"), _configuration.GetValue<string>("OpenId_Authority"));
                    options.ClientId = _configuration.GetValue<string>("OpenId_ClientId");
                    options.SignedOutRedirectUri = _configuration.GetValue<string>("OpenId_PostLogoutRedirectUri");
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        RoleClaimType = ClaimTypes.Role,
                        ValidateIssuer = false,
                        
                    };

                    options.Events.OnAuthenticationFailed = context =>
                    {
                        context.HandleResponse();
                        context.Response.BodyWriter.WriteAsync(Encoding.ASCII.GetBytes(context.Exception.Message));
                        return Task.CompletedTask;
                    };
                });
            
        }


        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseStaticFiles();
            app.UseRouting();
            app.UseAuthentication();
            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapContent();
            });
        }
    }

Does anyone have an idea of what would be wrong in my setup?

Thank you,

#289541
Oct 13, 2022 18:46
Vote:
 

/episerver is not a valid URL. So everything seems to work as expected. 

#289543
Oct 13, 2022 21:16
Vote:
 

Do you have Search & Navigation installed? The same issue happened to me because the Search & Navigation UI is the default view, and you need to configure the virtual roles to have access to it.

See my comment in this thread on how to configure the roles:
https://world.optimizely.com/forum/developers-add-ons-forum/Search/Thread-Container/2022/7/search--navigation-oidc-authorization-issues/

And read this page to make sure all roles are configured correctly:
https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/virtual-roles

@Johan Petersson - The situation is that when navigating to the root path you end up at the Search & Navigation manage view (/episerver#manage/statistics). Is there a way to configure what should be the default view? I would expect that the CMS edit view is the default, and I've seen multiple people struggling with setting up the virtual roles correctly when implementing SSO. Note that if you have the Content Manager installed, then that becomes the default view. 

The other thing is that the access denied page returns a 404 (tried this in Foundation project). Is this even the right path /Account/AccessDenied?ReturnUrl=%2Fepiserver? The path comes from CookieAuthenticationDefaults.AccessDeniedPath in AspNetCore.

#289544
Edited, Oct 13, 2022 22:14
Vincent - Oct 19, 2022 23:10
Ho Ynze, I experienced the same issue recently. Did you find any solution to configure the default view?
Ynze - Oct 24, 2022 4:24
Hi Vincent, no I haven't found a good solution for this yet unfortunately
Vote:
 

Hello @Johan Petersson,

You are totally right. I'm currently migrating from CMS 11 and was trying to replicate the fact that /episerver shows the Dashboard and I guess I kinda missed the part that the Dashboard has not been ported over in CMS 12 (https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/breaking-changes-in-content-cloud-cms-12#dashboard) . Plus, we didn't do anything in the Dashboard in CMS 11, so problem solve on that part. Thank you very much!

@Ynze, I'm trying to access the Search & Navigation page through the menu, and for some reason clicking on the Search & Navigation button in the menu doesn't do anything. That's the next thing on my list.

Thank you guys!

#290031
Oct 14, 2022 17:39
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.