Hello Binay
I hope this blog from Okta can help:
https://developer.okta.com/blog/2019/08/15/episerver-csharp-aspnet-cms
It's written for CMS 11 (Episerver) but hope explains the steps.
David
Hi Team,
I am able to logged in successfully through okta login interface but edit page button is not got enabled . But It is enabled with regular cms login interface.
If you navigate directly to /episerver after authenticating are you taken to the CMS Edit interface ?
I have a feeling you are authenticating although the Claims / Roles are not being set.
Thank you for your reply. Below code I have used in startup.cs . Can you please help me where I am doing mistake ?
private void ConfigureAuthentication(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
//options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddOktaMvc(new OktaMvcOptions
{
OktaDomain = "https://mydomain.okta.com",
AuthorizationServerId = "default",
ClientId = "0oa584ey9vP8ibzZd5d8",
ClientSecret = "Bs-hZgJjvcP8j3VF8hXLlXg6pnMO5P47QyombzpK",
Scope = new List<string> { "openid", "profile", "email" },
CallbackPath = "/authorization-code/callback",
GetClaimsFromUserInfoEndpoint = true,
PostLogoutRedirectUri = "https://localhost:5000/",
OpenIdConnectEvents = new OpenIdConnectEvents
{
OnAuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.BodyWriter.WriteAsync(Encoding.ASCII.GetBytes(context.Exception.Message));
return Task.FromResult(0);
},
OnTokenValidated = (ctx) =>
{
//var redirectUri = new Uri(ctx.Properties.RedirectUri, UriKind.RelativeOrAbsolute);
var redirectUri = new Uri("https://localhost:5000/");
//Sync user and the roles to EPiServer in the background
ServiceLocator.Current.GetInstance<ISynchronizingUserService>().SynchronizeAsync(ctx.Principal.Identity as ClaimsIdentity);
//var redirectUri = new Uri("/episerver", UriKind.RelativeOrAbsolute);
if (redirectUri.IsAbsoluteUri)
{
ctx.Properties.RedirectUri = redirectUri.PathAndQuery;
}
return Task.FromResult(0);
},
OnRedirectToIdentityProvider = context =>
{
// To avoid a redirect loop to the federation server send 403
// when user is authenticated but does not have access
if (context.Response.StatusCode == 401 &&
context.HttpContext.User.Identity.IsAuthenticated)
{
context.Response.StatusCode = 403;
context.HandleResponse();
}
// XHR requests cannot handle redirects to a login screen, return 401
if (context.Response.StatusCode == 401 && IsXhrRequest(context.Request))
context.HandleResponse();
return Task.CompletedTask;
}
}
});
//AddOktaMvc() does not allow to set the TokenValidationParameters in its parameters, so we need to do it afterwards
services.PostConfigureAll<OpenIdConnectOptions>(options =>
{
options.SignInScheme = "okta";
options.SignOutScheme = "okta";
options.TokenValidationParameters = new TokenValidationParameters
{
RoleClaimType = ClaimTypes.Role,
NameClaimType = ClaimTypes.Name,
//ValidateIssuer = true
//NameClaimType = "name",
//RoleClaimType = "groups",
RequireExpirationTime = true,
RequireSignedTokens = true,
ValidateIssuer = true,
ValidIssuer = "https://mydomain.okta.com/oauth2/default",
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(2),
ValidateAudience = false,
};
options.Authority = "https://dev-mydomain.okta.com/oauth2/default";
options.SaveTokens = true;
});
services
.AddAuthentication(options =>
{
options.DefaultScheme = "okta";
})
.AddCookie("Identity.Application")
.AddCookie("okta")
.AddPolicyScheme("policy-scheme", null, options =>
{
options.ForwardDefaultSelector = ctx =>
{
if (ctx.Request.Path.StartsWithSegments("episerver", StringComparison.OrdinalIgnoreCase))
{
return "Identity.Application";
}
return "okta";
};
});
}
I cant be exactly sure where you are going wrong but if you can inspect the authenticated user object, here you can see what roles are being set
var claimsIdentity = User.Identity as ClaimsIdentity;
If you are not managing your roles within OKTA (you really should do) you can do the following (NOT RECOMMENDED) :
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "WebAdmins"));
This goes within OnTokenValidated
Alternatively have a look at the Claims Transformer Documentation found here :
https://developer.okta.com/blog/2017/10/04/aspnet-authorization
Hi Minesh Shah (Netcel) ,
Thank you, Your suggestion worked after adding the role edit page button is displaying. But after click on that button It's not redirect into the edit mode. It is going to infinte loop on the same page. Do you have any idea how to redirect into the edit mode ?
Hi Team,
Can anyone please help me to resolve the issue. I am able to signed in successfully through okta login interface . But I am not able to redirect inside the edit mode. It is going to infinte loop on the same page. Please guide me if anyone have any idea or solution.
Cant be 100% but your redirect uri is hard coded to localhost:5000, this could be the reason you are always being redirected back to homepage, what happens when you comment this out and use
var redirectUri = new Uri(ctx.Properties.RedirectUri, UriKind.RelativeOrAbsolute);
Once you have updated the redirectUri, also try commenting out the PostConfigureAll section.
Hi Team,
I wanted to implmente Okta authentication in my application instead regular login for cms edit/admin section. Please guide and help..!