Vulnerability in EPiServer.Forms
I am trying to setup OpenIdConnect to connect to an Azure environment to authenticate my localhost cms.
I am following the main example provided by Optimizely (with some tweaking for my specific Azure environment):
Now the problem was after accessing "https://localhost:8001/episerver" and logged in, I get redirected to /Account/AccessDenied?ReturnUrl=%2Fepiserver.
However, if I access "https://localhost:8001/episerver/cms", there's no problem, I can login without any issues.
I tried setuping the OpenIdConnect in a bare-bone CMS 12 project and got the same behavior. Here's the whole startup class:
public class Startup
private readonly IWebHostEnvironment _webHostingEnvironment;
private readonly IConfiguration _configuration;
public Startup(IWebHostEnvironment webHostingEnvironment, IConfiguration configuration)
_webHostingEnvironment = webHostingEnvironment;
_configuration = configuration;
public void ConfigureServices(IServiceCollection services)
//Add development configuration
options.LoginPath = "/util/Login";
options.DefaultAuthenticateScheme = "azure-cookie";
options.DefaultChallengeScheme = "azure";
.AddCookie("azure-cookie", options =>
options.Events.OnSignedIn = async ctx =>
if (ctx.Principal?.Identity is ClaimsIdentity claimsIdentity)
// Syncs user and roles so they are available to the CMS
var synchronizingUserService = ctx
.AddOpenIdConnect("azure", options =>
options.SignInScheme = "azure-cookie";
options.SignOutScheme = "azure-cookie";
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.CallbackPath = "/callback";
options.ClientSecret = _configuration.GetValue<string>("OpenId_ClientSecret");
options.Authority = string.Format(CultureInfo.InvariantCulture, _configuration.GetValue<string>("OpenId_InstanceId"), _configuration.GetValue<string>("OpenId_Authority"));
options.ClientId = _configuration.GetValue<string>("OpenId_ClientId");
options.SignedOutRedirectUri = _configuration.GetValue<string>("OpenId_PostLogoutRedirectUri");
options.TokenValidationParameters = new TokenValidationParameters
RoleClaimType = ClaimTypes.Role,
ValidateIssuer = false,
options.Events.OnAuthenticationFailed = context =>
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
Does anyone have an idea of what would be wrong in my setup?
/episerver is not a valid URL. So everything seems to work as expected.
Do you have Search & Navigation installed? The same issue happened to me because the Search & Navigation UI is the default view, and you need to configure the virtual roles to have access to it.
See my comment in this thread on how to configure the roles:https://world.optimizely.com/forum/developers-add-ons-forum/Search/Thread-Container/2022/7/search--navigation-oidc-authorization-issues/
And read this page to make sure all roles are configured correctly:https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/virtual-roles
@Johan Petersson - The situation is that when navigating to the root path you end up at the Search & Navigation manage view (/episerver#manage/statistics). Is there a way to configure what should be the default view? I would expect that the CMS edit view is the default, and I've seen multiple people struggling with setting up the virtual roles correctly when implementing SSO. Note that if you have the Content Manager installed, then that becomes the default view.
The other thing is that the access denied page returns a 404 (tried this in Foundation project). Is this even the right path /Account/AccessDenied?ReturnUrl=%2Fepiserver? The path comes from CookieAuthenticationDefaults.AccessDeniedPath in AspNetCore.
Hello @Johan Petersson,
You are totally right. I'm currently migrating from CMS 11 and was trying to replicate the fact that /episerver shows the Dashboard and I guess I kinda missed the part that the Dashboard has not been ported over in CMS 12 (https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/breaking-changes-in-content-cloud-cms-12#dashboard) . Plus, we didn't do anything in the Dashboard in CMS 11, so problem solve on that part. Thank you very much!
@Ynze, I'm trying to access the Search & Navigation page through the menu, and for some reason clicking on the Search & Navigation button in the menu doesn't do anything. That's the next thing on my list.
Thank you guys!