Cannot enter /episerver and /episerver/cms after login -- access denied

Vote:
 

Hi

I'm loggin in via openId, after login i am redirected to access denied page - it seems that epi does not recognize me as webadmin.

I have (what looks like) proper cookie in the browser after loggin in.

i'm redirected to either:
/Account/AccessDenied?ReturnUrl=%2Fepiserver

or /Account/AccessDenied?ReturnUrl=%2Fepiserver%2Fcms

I am using this tutorial with no avail: https:// (i cannot enter hyperlinks because reasons) docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/integrate-azure-ad-using-openid-connect

I've even tried to force-add claim to user:

            .AddCookie("azure-cookie", options =>
            {
                options.Events.OnSignedIn = async ctx =>
                {
                    if (ctx.Principal?.Identity is ClaimsIdentity claimsIdentity)
                    {
                        claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, "WebAdmins", ClaimValueTypes.String, "Handmade"));
                        claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, "WebEditors", ClaimValueTypes.String, "Handmade"));

                        var synchronizingUserService = ctx
                            .HttpContext
                            .RequestServices
                            .GetRequiredService<ISynchronizingUserService>();


                        await synchronizingUserService.SynchronizeAsync(claimsIdentity).ConfigureAwait(false);
                    }
                };
            })

appsettings.json:

  "EPiServer": {
    "Find": {
...
    },
    "Cms": {
...
    },
    "Licensing": {
...
    },
    "MappedRoles": {
      "Items": {
        "CmsAdmins": {
          "MappedRoles": [ "WebAdmins", "Administrators" ],
          "ShouldMatchAll": "false"
        },
        "CmsEditors": {
          "MappedRoles": [ "WebEditors" ],
          "ShouldMatchAll": "false"
        },
        "CommerceAdmins": {
          "MappedRoles": [ "WebAdmins", "Administrators" ],
          "ShouldMatchAll": "false"
        },
        "FindAdmins": {
          "MappedRoles": [ "WebAdmins", "Administrators" ],
          "ShouldMatchAll": "false"
        },
        "SearchAdmins": {
          "MappedRoles": [ "WebAdmins", "Administrators" ],
          "ShouldMatchAll": "false"
        }
      }
    }
  }

I'm pretty sure i am missing something but can't find what.

#292900
Edited, Dec 09, 2022 8:56
Vote:
 

For future generations:
If you want to add custom claim you have to do it inside:

options.Events.OnTokenValidated:

                    var previousOnTokenValidatedHandler = options.Events.OnTokenValidated;
                    options.Events.OnTokenValidated = async context =>
                    {
                        await previousOnTokenValidatedHandler(context).ConfigureAwait(false);
                        if (context.Principal?.Identity is ClaimsIdentity claimsIdentity)
                        {
                            claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, "WebAdmins", ClaimValueTypes.String, "Handmade"));
                            claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, "WebEditors", ClaimValueTypes.String, "Handmade"));

                        }
                    };
#293208
Dec 15, 2022 13:48
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.