November Happy Hour will be moved to Thursday December 5th.
AI OnAI Off
Optimizely-Okta Authentication
Hello Binay
I hope this blog from Okta can help:
https://developer.okta.com/blog/2019/08/15/episerver-csharp-aspnet-cms
It's written for CMS 11 (Episerver) but hope explains the steps.
David
Oct 19, 2022 8:37
Hi Team,
I am able to logged in successfully through okta login interface but edit page button is not got enabled . But It is enabled with regular cms login interface.
Edited,
Oct 21, 2022 6:25
If you navigate directly to /episerver after authenticating are you taken to the CMS Edit interface ?
I have a feeling you are authenticating although the Claims / Roles are not being set.
Oct 21, 2022 9:43
Thank you for your reply. Below code I have used in startup.cs . Can you please help me where I am doing mistake ?
private void ConfigureAuthentication(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
//options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddOktaMvc(new OktaMvcOptions
{
OktaDomain = "https://mydomain.okta.com",
AuthorizationServerId = "default",
ClientId = "0oa584ey9vP8ibzZd5d8",
ClientSecret = "Bs-hZgJjvcP8j3VF8hXLlXg6pnMO5P47QyombzpK",
Scope = new List<string> { "openid", "profile", "email" },
CallbackPath = "/authorization-code/callback",
GetClaimsFromUserInfoEndpoint = true,
PostLogoutRedirectUri = "https://localhost:5000/",
OpenIdConnectEvents = new OpenIdConnectEvents
{
OnAuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.BodyWriter.WriteAsync(Encoding.ASCII.GetBytes(context.Exception.Message));
return Task.FromResult(0);
},
OnTokenValidated = (ctx) =>
{
//var redirectUri = new Uri(ctx.Properties.RedirectUri, UriKind.RelativeOrAbsolute);
var redirectUri = new Uri("https://localhost:5000/");
//Sync user and the roles to EPiServer in the background
ServiceLocator.Current.GetInstance<ISynchronizingUserService>().SynchronizeAsync(ctx.Principal.Identity as ClaimsIdentity);
//var redirectUri = new Uri("/episerver", UriKind.RelativeOrAbsolute);
if (redirectUri.IsAbsoluteUri)
{
ctx.Properties.RedirectUri = redirectUri.PathAndQuery;
}
return Task.FromResult(0);
},
OnRedirectToIdentityProvider = context =>
{
// To avoid a redirect loop to the federation server send 403
// when user is authenticated but does not have access
if (context.Response.StatusCode == 401 &&
context.HttpContext.User.Identity.IsAuthenticated)
{
context.Response.StatusCode = 403;
context.HandleResponse();
}
// XHR requests cannot handle redirects to a login screen, return 401
if (context.Response.StatusCode == 401 && IsXhrRequest(context.Request))
context.HandleResponse();
return Task.CompletedTask;
}
}
});
//AddOktaMvc() does not allow to set the TokenValidationParameters in its parameters, so we need to do it afterwards
services.PostConfigureAll<OpenIdConnectOptions>(options =>
{
options.SignInScheme = "okta";
options.SignOutScheme = "okta";
options.TokenValidationParameters = new TokenValidationParameters
{
RoleClaimType = ClaimTypes.Role,
NameClaimType = ClaimTypes.Name,
//ValidateIssuer = true
//NameClaimType = "name",
//RoleClaimType = "groups",
RequireExpirationTime = true,
RequireSignedTokens = true,
ValidateIssuer = true,
ValidIssuer = "https://mydomain.okta.com/oauth2/default",
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(2),
ValidateAudience = false,
};
options.Authority = "https://dev-mydomain.okta.com/oauth2/default";
options.SaveTokens = true;
});
services
.AddAuthentication(options =>
{
options.DefaultScheme = "okta";
})
.AddCookie("Identity.Application")
.AddCookie("okta")
.AddPolicyScheme("policy-scheme", null, options =>
{
options.ForwardDefaultSelector = ctx =>
{
if (ctx.Request.Path.StartsWithSegments("episerver", StringComparison.OrdinalIgnoreCase))
{
return "Identity.Application";
}
return "okta";
};
});
}
Oct 21, 2022 10:15
I cant be exactly sure where you are going wrong but if you can inspect the authenticated user object, here you can see what roles are being set
var claimsIdentity = User.Identity as ClaimsIdentity;If you are not managing your roles within OKTA (you really should do) you can do the following (NOT RECOMMENDED) :
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "WebAdmins"));This goes within OnTokenValidated
Alternatively have a look at the Claims Transformer Documentation found here :
https://developer.okta.com/blog/2017/10/04/aspnet-authorization
Edited,
Oct 21, 2022 10:30
Hi Minesh Shah (Netcel) ,
Thank you, Your suggestion worked after adding the role edit page button is displaying. But after click on that button It's not redirect into the edit mode. It is going to infinte loop on the same page. Do you have any idea how to redirect into the edit mode ?
Oct 21, 2022 12:57
Hi Team,
Can anyone please help me to resolve the issue. I am able to signed in successfully through okta login interface . But I am not able to redirect inside the edit mode. It is going to infinte loop on the same page. Please guide me if anyone have any idea or solution.
Oct 27, 2022 15:06
Cant be 100% but your redirect uri is hard coded to localhost:5000, this could be the reason you are always being redirected back to homepage, what happens when you comment this out and use
var redirectUri = new Uri(ctx.Properties.RedirectUri, UriKind.RelativeOrAbsolute);
Once you have updated the redirectUri, also try commenting out the PostConfigureAll section.
Oct 28, 2022 2:37
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
Hi Team,
I wanted to implmente Okta authentication in my application instead regular login for cms edit/admin section. Please guide and help..!