Optimizely-Okta Authentication

Vote:
 

Hi Team,

  I wanted to implmente Okta authentication in my application instead regular login for cms edit/admin section. Please guide and help..!

#290291
Oct 19, 2022 6:17
Vote:
 

Hello Binay

I hope this blog from Okta can help: 

https://developer.okta.com/blog/2019/08/15/episerver-csharp-aspnet-cms

It's written for CMS 11 (Episerver) but hope explains the steps. 

David

#290296
Oct 19, 2022 8:37
Vote:
 

Hi Team,

   I am able to logged in successfully through okta login interface but edit page button is not got enabled . But It is enabled with regular cms login interface.

 

#290391
Edited, Oct 21, 2022 6:25
Vote:
 

If you navigate directly to /episerver after authenticating are you taken to the CMS Edit interface ? 

I have a feeling you are authenticating although the Claims / Roles are not being set. 

#290393
Oct 21, 2022 9:43
Vote:
 

Hi Minesh Shah (Netcel)

  Thank you for your reply. Below code I have used in startup.cs . Can you please help me where I am doing mistake ?

 private void ConfigureAuthentication(IServiceCollection services)
 {
            

            services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                //options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
            .AddOktaMvc(new OktaMvcOptions
            {
                OktaDomain = "https://mydomain.okta.com",
                AuthorizationServerId = "default",
                ClientId = "0oa584ey9vP8ibzZd5d8",
                ClientSecret = "Bs-hZgJjvcP8j3VF8hXLlXg6pnMO5P47QyombzpK",
                Scope = new List<string> { "openid", "profile", "email" },
                CallbackPath = "/authorization-code/callback",
                GetClaimsFromUserInfoEndpoint = true,
                PostLogoutRedirectUri = "https://localhost:5000/",
                OpenIdConnectEvents = new OpenIdConnectEvents
                {
                    OnAuthenticationFailed = context =>
                    {
                        context.HandleResponse();
                        context.Response.BodyWriter.WriteAsync(Encoding.ASCII.GetBytes(context.Exception.Message));
                        return Task.FromResult(0);
                    },
                    OnTokenValidated = (ctx) =>
                    {
                        //var redirectUri = new Uri(ctx.Properties.RedirectUri, UriKind.RelativeOrAbsolute);
                        var redirectUri = new Uri("https://localhost:5000/");
                        //Sync user and the roles to EPiServer in the background

                        ServiceLocator.Current.GetInstance<ISynchronizingUserService>().SynchronizeAsync(ctx.Principal.Identity as ClaimsIdentity);
                        //var redirectUri = new Uri("/episerver", UriKind.RelativeOrAbsolute);
                        if (redirectUri.IsAbsoluteUri)
                        {
                            ctx.Properties.RedirectUri = redirectUri.PathAndQuery;
                        }                        
                        return Task.FromResult(0);
                    },
                    OnRedirectToIdentityProvider = context =>
                    {
                        // To avoid a redirect loop to the federation server send 403
                        // when user is authenticated but does not have access
                        if (context.Response.StatusCode == 401 &&
                        context.HttpContext.User.Identity.IsAuthenticated)
                        {
                            context.Response.StatusCode = 403;
                            context.HandleResponse();
                        }

                        // XHR requests cannot handle redirects to a login screen, return 401
                        if (context.Response.StatusCode == 401 && IsXhrRequest(context.Request))
                            context.HandleResponse();

                        return Task.CompletedTask;
                    }
                }
            });

            //AddOktaMvc() does not allow to set the TokenValidationParameters in its parameters, so we need to do it afterwards
            services.PostConfigureAll<OpenIdConnectOptions>(options =>
            {
                options.SignInScheme = "okta";
                options.SignOutScheme = "okta";

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    RoleClaimType = ClaimTypes.Role,
                    NameClaimType = ClaimTypes.Name,
                    //ValidateIssuer = true

                    //NameClaimType = "name",
                    //RoleClaimType = "groups",
                    RequireExpirationTime = true,
                    RequireSignedTokens = true,
                    ValidateIssuer = true,
                    ValidIssuer = "https://mydomain.okta.com/oauth2/default",
                    ValidateLifetime = true,
                    ClockSkew = TimeSpan.FromMinutes(2),
                    ValidateAudience = false,
                };
                options.Authority = "https://dev-mydomain.okta.com/oauth2/default";
                options.SaveTokens = true;
            });

            services
            .AddAuthentication(options =>
             {
                options.DefaultScheme = "okta";
             })
            .AddCookie("Identity.Application")
            .AddCookie("okta")
            .AddPolicyScheme("policy-scheme", null, options =>
             {
                options.ForwardDefaultSelector = ctx =>
                {
                    if (ctx.Request.Path.StartsWithSegments("episerver", StringComparison.OrdinalIgnoreCase))
                    {
                        return "Identity.Application";
                    }
                    return "okta";
                };
             });
 }

#290394
Oct 21, 2022 10:15
Vote:
 

I cant be exactly sure where you are going wrong but if you can inspect the authenticated user object, here you can see what roles are being set 

var claimsIdentity = User.Identity as ClaimsIdentity;

If you are not managing your roles within OKTA (you really should do) you can do the following (NOT RECOMMENDED) : 

ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "WebAdmins"));

This goes within OnTokenValidated 

Alternatively have a look at the Claims Transformer Documentation found here : 

https://developer.okta.com/blog/2017/10/04/aspnet-authorization 

#290395
Edited, Oct 21, 2022 10:30
Vote:
 

Hi Minesh Shah (Netcel) ,

   Thank you, Your suggestion worked after adding the role edit page button is displaying. But after click on that button It's not redirect into the edit mode. It is going to infinte loop on the same page. Do you have any idea how to redirect into the edit mode ?

#290396
Oct 21, 2022 12:57
Vote:
 

Hi Team,

  Can anyone please help me to resolve the issue. I am able to signed in successfully through okta login interface . But I am not able to redirect inside the edit mode. It is going to infinte loop on the same page. Please guide me if anyone have any idea or solution.

#290676
Oct 27, 2022 15:06
Vote:
 

Cant be 100% but your redirect uri is hard coded to localhost:5000, this could be the reason you are always being redirected back to homepage, what happens when you comment this out and use 

var redirectUri = new Uri(ctx.Properties.RedirectUri, UriKind.RelativeOrAbsolute);

Once you have updated the redirectUri, also try commenting out the PostConfigureAll section. 

#290714
Oct 28, 2022 2:37
Vote:
 

Minesh Shah (Netcel) Your suggestion worked. Thank you so much..!

#290848
Oct 31, 2022 13:36
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.