Content Delivery API: configuring OAuth

Vote:
 

Hi,

We're trying to configure OAuth in our setup of the Content Delivery API, and have followed the instructions in the official documentation for doing so: https://world.episerver.com/documentation/developer-guides/content-delivery-api/configuration/#OAuth 

We have added the EPiServer.ContentApi.OAuth NuGet package, and then added the following line in Startup.cs (as per the official documentation, and also as explained in this accepted answer on the developers forum: https://world.episerver.com/forum/developer-forum/Addons/Thread-Container/2018/11/content-delivery-api---404-on-apiepiserverauthtoken/#199421)

app.UseContentApiIdentityOAuthAuthorization<ApplicationUserManager<ApplicationUser>, ApplicationUser>(new ContentApiOAuthOptions()
{
      RequireSsl = false
});

However, none of the explanations in the referenced links contain information about the implementation of ApplicationUserManager and ApplicationUser. Are we supposed to implement them ourselves? In that case, do you have any documentation on how they should be implemented?

- Thomas

#206620
Edited, Aug 27, 2019 8:57
Vote:
 

Did you find any inputs on it. I am on same issue currently.

#218005
Mar 03, 2020 23:05
Thomas Wolff - Mar 04, 2020 7:14
No, we have decided not to use OAuth in our case after all, so we have not looked further into this.
Vote:
 

Hi,

You can use the default implementation of CMS UI for both ApplicationUserManager and ApplicationUser. Alloy sample site for Content Delivery already has the sample configuration in Startup.cs, you can check it out to investigate more. 

#219111
Mar 30, 2020 3:42
Vote:
 

What did you end up using instead of OAuth?

#227782
Sep 12, 2020 4:46
Vote:
 

Hi

If you haven't set up the OWIN authentication before adding the OAuth package, have a look at this documentation page. It basically details how to set up ASP.Net Identity authentication, which can then be used to access the Content Delivery API, through the OAuth package.

Usually you can follow the first three steps on the page, and skip the rest of the page.

#227807
Sep 13, 2020 16:41
Vote:
 

I was using OIDC framework with OKTA in my startup so figured out I just had to use well known open id configuration endpoint. This is what I used and seems to work fine.

var authority = OpenIDConfiguration.Authority;
var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
authority + "/.well-known/openid-configuration",
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever());

app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,

TokenValidationParameters = new TokenValidationParameters()
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = OpenIDConfiguration.Permission,
ValidateAudience = false,
ValidIssuer = authority,


IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
{
var discoveryDocument = Task.Run(() => configurationManager.GetConfigurationAsync()).GetAwaiter().GetResult();
return discoveryDocument.SigningKeys;
}
}

});

#236603
Dec 07, 2020 14:33
Vote:
 

It seems what people are usually after requires the removal of the CD API OAuth-packages (those are only needed in case you need integration between local AspNetIdentity and need a local token provider) and instead use OIDC for auth in general and lean on either Cookie security or validating token on their own.

Similar thread: https://world.episerver.com/forum/developer-forum/-Episerver-75-CMS/Thread-Container/2020/12/content-delivery-api---401-unauthorized/

Example on how to do it on my blog: https://krompaco.nu/2018/12/content-delivery-api-and-custom-authorization/

#246644
Edited, Jan 11, 2021 15:58
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.