A critical vulnerability was discovered in React Server Components (Next.js). Our Systems Remain Fully Protected. Learn More

AI OnAI Off

Issue with Azure AD Backend / Asp.NET Frontend Authentication provider (CMS 12, Commerce 14)

Van Pham Hong
Van Pham Hong
Vote:
 

I would like to build a login function with AzureAD for backend users and AspNetCore Identity for front-end users. I have followed the steps:

  • POC on the Foundation .NET 5 version: https://github.com/episerver/Foundation/tree/net5
  • Run the foundation project and sign up a new account on the front-end: customer1@example.com
  • Following guide: https://world.optimizely.com/documentation/developer-guides/CMS/security/integrate-azure-ad-using-openid-connect/
    • Install Microsoft.AspNetCore.Authentication.OpenIdConnect version 5.014
    • Comment out services.AddOpenIDConnect with "postman" block code
    • Add connect to AzureAD with an option (on app setting) that allow me to turn on/off this function.
  • //services.AddOpenIDConnect<SiteUser>(options =>
            //{
            //    //options.RequireHttps = !_webHostingEnvironment.IsDevelopment();
            //    var application = new OpenIDConnectApplication()
            //    {
            //        ClientId = "postman-client",
            //        ClientSecret = "postman",
            //        Scopes =
            //        {
            //            ContentDeliveryApiOptionsDefaults.Scope,
            //            ContentManagementApiOptionsDefaults.Scope,
            //            ContentDefinitionsApiOptionsDefaults.Scope,
            //        }
            //    };

            //    // Using Postman for testing purpose.
            //    // The authorization code is sent to postman after successful authentication.
            //    application.RedirectUris.Add(new Uri("https://oauth.pstmn.io/v1/callback"));
            //    options.Applications.Add(application);
            //    options.AllowResourceOwnerPasswordFlow = true;
            //});

            var azureAdConfigSection = _configuration.GetSection("AzureAd");
            var enableAzureAd = azureAdConfigSection.GetValue<bool>("EnableAzureAd");
            if (enableAzureAd)
            {
                services.AddAuthentication(options =>
                {
                    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
                })
                .AddCookie()
                .AddOpenIdConnect(
                    options =>
                    {
                        options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                        options.ClientId = azureAdConfigSection.GetValue<string>("ClientId");
                        options.Authority = "https://login.microsoftonline.com/" + azureAdConfigSection.GetValue<string>("TenantId") + "/v2.0";
                        options.CallbackPath = "/signin-oidc";
                        options.Scope.Add("email");

                        options.TokenValidationParameters = new TokenValidationParameters
                        {
                            ValidateIssuer = false,
                            RoleClaimType = ClaimTypes.Role,
                            NameClaimType = ClaimTypes.Email
                        };

                        options.Events.OnAuthenticationFailed = context =>
                        {
                            context.HandleResponse();
                            context.Response.BodyWriter.WriteAsync(Encoding.ASCII.GetBytes(context.Exception.Message));
                            return Task.FromResult(0);
                        };

                        options.Events.OnTokenValidated = (ctx) =>
                        {
                            var redirectUri = new Uri(ctx.Properties.RedirectUri, UriKind.RelativeOrAbsolute);
                            if (redirectUri.IsAbsoluteUri)
                            {
                                ctx.Properties.RedirectUri = redirectUri.PathAndQuery;
                            }
                            //    
                            //Sync user and the roles to EPiServer in the background
                            ServiceLocator.Current.GetInstance<ISynchronizingUserService>().SynchronizeAsync(ctx.Principal.Identity as ClaimsIdentity);
                            return Task.FromResult(0);
                        };
                    });
            }

Result of "enabled" Azure AD:

  • Successfully log in with my Azure AD account for backend (https://localhost:44397/episerver/cms)
  • But, cannot log in on the font-end with the registered user "customer1@example.com". I have already tested on a new browser, for example, incognito. Here is the details:

When debugging I see that User.Identity.IsAuthenticated is always false after SignInManager SignIn:

Otherwise, if I disable Azure AD, we can get all claim and User.Identity.IsAuthenticated = true.  And we can log in front-end as normal.

Could you please take a look at the issue on the front-end login with AspNetCore Identity if I turn on the login backend with AzureAD?

Any help would be appreciated.

Thank you in advance...

#272374
Edited, Feb 17, 2022 7:58
Mark Hall
Mark Hall
Vote:
 

Authenication schemes work differently in net5.0 Please see Use multiple authentication schemes

#272466
Feb 17, 2022 23:47
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.