identity server 4 and backoffice external login in umbraco 9

Marco Graziotti 40 posts 166 karma points c-trib

Jul 16, 2021 @ 10:01

Identity Server 4 and backoffice external login in Umbraco 9

Hi,

I'm trying to retrieve some information about the possibility to implement Identity Server 4 for the backoffice login in Umbraco 9.

I saw that in ConfigureServices() it's possible to use AddBackOfficeExternalLogins(). Is there any reference guide to implement a third party backoffice login service? Any suggestions?

I also found this discussion that seems interesting.

Thank you, Marco

Copy Link

Keith 76 posts 242 karma points

Jul 20, 2021 @ 23:35

Hi Marco,

This is the code I used on that other discussion you linked to. It worked for me using Azure AD B2C, but I would imagine the config is very similar for Identity Server 4.

Its not fully tested and Im sure someone will post something better, but might be of use to you.

            services.AddUmbraco(_env, _config)
            .AddBackOffice()
            // new code
            .AddBackOfficeExternalLogins(builder =>
                builder.AddBackOfficeLogin(
                    new BackOfficeExternalLoginProviderOptions(
                        "btn-primary", // button stype
                        "fa-windows", // icon
                        new ExternalSignInAutoLinkOptions(
                            true, // autolink
                            null, // default groups,
                            null, //default culture,
                            true), //allowManualLinking
                        true, // deny local login
                        false, // autoredirect local login to external login
                        null), // custom backoffice view
                    build =>
                        build.AddOpenIdConnect(
                            build.SchemeForBackOffice(OpenIdConnectDefaults.AuthenticationScheme),
                            "AD B2C",
                            options =>
                            {
                                options.RemoteSignOutPath = "/oidc-signout";
                                options.MetadataAddress = "path-to-my /.well-known";
                                options.ClientId = "my-client-id";
                                options.SignedOutRedirectUri = "https://myumbracosite.com/umbraco";
                                options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                                {
                                    NameClaimType = "name"
                                };
                            }
                        )
                )
            )
            // end of new code
            .AddWebsite()
            .AddComposers()
            .Build();

"autolink" is what is used to automatically create an umbraco user when someone signs in with your external provider. Without this, you need to create each umbraco user first, ask them to log in and manually perform a link to their external identity.

Copy Link

Marco Graziotti 40 posts 166 karma points c-trib

Aug 23, 2021 @ 15:56

Hi Keith,

thank you for your reply.

This snippet was useful, but I couldn't test it because of this bug in Umbraco 9 RC1 (here more details), that should be fixed in the RC2 release.

I have just updated my solution to RC2, and builder.AddBackOfficeLogin(...) now has the parameters order inverted, from:

AddBackOfficeLogin(BackOfficeExternalLoginProviderOptions loginProviderOptions, Action<BackOfficeAuthenticationBuilder> build);

to:

AddBackOfficeLogin(Action<BackOfficeAuthenticationBuilder> build, Action<BackOfficeExternalLoginProviderOptions> loginProviderOptions = null)

So your code snippet will change like this:

 services.AddUmbraco(_env, _config)
            .AddBackOffice()
            // new code
            .AddBackOfficeExternalLogins(builder =>
                builder.AddBackOfficeLogin(                   
                    build =>
                        build.AddOpenIdConnect(
                            build.SchemeForBackOffice(OpenIdConnectDefaults.AuthenticationScheme),
                            "AD B2C",
                            options =>
                            {
                                options.RemoteSignOutPath = "/oidc-signout";
                                options.MetadataAddress = "path-to-my /.well-known";
                                options.ClientId = "my-client-id";
                                options.SignedOutRedirectUri = "https://myumbracosite.com/umbraco";
                                options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                                {
                                    NameClaimType = "name"
                                };
                            }
                        ),
                    options =>
                        new BackOfficeExternalLoginProviderOptions(
                            "btn-primary", // button stype
                            "fa-windows", // icon
                            new ExternalSignInAutoLinkOptions(
                                true, // autolink
                                null, // default groups,
                                null, //default culture,
                                true), //allowManualLinking
                            true, // deny local login
                            false, // autoredirect local login to external login
                            null), // custom backoffice view
                )
            )
            // end of new code
            .AddWebsite()
            .AddComposers()
            .Build();

Thank you

Copy Link

Gunnar Már Óttarsson 11 posts 48 karma points

Aug 14, 2021 @ 14:19

In case you want to use AzureAd to authenticate backoffice users I have working code based off Shannon's pull here

.AddBackOfficeExternalLogins(extLoginBuilder =>
{
    var extLoginOpts = new ExternalSignInAutoLinkOptions(
        autoLinkExternalAccount: true,
        defaultUserGroups: new[] { "admin" },
        defaultCulture: "en-US",
        allowManualLinking: true)
    {
        OnExternalLogin = (user, loginInfo) =>
        {
            return true;
        },
    };

    var loginProviderOptions = new BackOfficeExternalLoginProviderOptions(
        "btn-microsoft",
        "fa-windows",
        extLoginOpts,
        autoRedirectLoginToExternalProvider: false);

    extLoginBuilder.AddBackOfficeLogin(
        loginProviderOptions,
        auth =>
    {
        var azAdConfig = _config.GetSection("AzureAd");

        auth
            // https://github.com/umbraco/Umbraco-CMS/pull/9470
            .AddMicrosoftIdentityWebApp(options =>
            {
                options.CallbackPath = "/umbraco-signin-oidc";
                options.Instance = "https://login.microsoftonline.com/";
                options.TenantId = azAdConfig["TenantId"];
                options.ClientId = azAdConfig["ClientId"];
                options.SignedOutRedirectUri = "/umbraco";

                // https://github.com/AzureAD/microsoft-identity-web/issues/749
                //options.ClaimActions.MapJsonKey(ClaimTypes.Email, ClaimConstants.PreferredUserName);

                // Preferred over IClaimsTransformation which runs for every AuthenticateAsync
                options.Events.OnTokenValidated = ctx =>
                {
                    var username = ctx.Principal?.Claims.FirstOrDefault(c => c.Type == ClaimConstants.PreferredUserName);
                    if (username != null && ctx.Principal?.Identity is ClaimsIdentity claimsIdentity)
                    {
                        claimsIdentity.AddClaim(
                            new Claim(
                                ClaimTypes.Email,
                                username.Value
                            )
                        );
                    }

                    return Task.CompletedTask;
                };
            },
            openIdConnectScheme: auth.SchemeForBackOffice(Constants.AzureAd),
            cookieScheme: "Fake")
            ;
    });
})

Copy Link

Marco Graziotti 40 posts 166 karma points c-trib

Aug 23, 2021 @ 16:00

Thank you Gunnar for your reply. I will try also this code.

Marco

Copy Link

Dale McCutcheon 32 posts 135 karma points

Sep 17, 2021 @ 09:22

Hi Gunnar,

I'm not able to get this code working I can't reference .AddMicrosoftIdentityWebApp(options => as this just says it does not exist.

Can you give any further information on this? or what i might be missing?

THanks Dale

Copy Link

Thomas 319 posts 606 karma points c-trib

Jan 13, 2022 @ 09:05

What am I missing here?

enter image description here

Copy Link

Gunnar Már Óttarsson 11 posts 48 karma points

Sep 17, 2021 @ 12:26

You are likely missing Microsoft.Identity.Web in my code i was using 1.15.2

Copy Link

John A 6 posts 27 karma points

Feb 07, 2022 @ 15:59

Gunnar

Thanks for sharing this for BackOffice. Do you have any samples to share for Umbraco 9 AzureB2C Auth for Members? Appreciate any help you can provide, thanks.

Copy Link

Jeroen Breuer 4909 posts 12266 karma points MVP 5x admin c-trib

Sep 01, 2022 @ 12:05

Hi John,

I have created an example for members here: https://www.jeroenbreuer.nl/blog/released-umbraco-openid-connect-example-package/

Jeroen

Copy Link

is working on a reply...

This forum is in read-only mode while we transition to the new forum.

You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Flag this post as spam?

Identity Server 4 and backoffice external login in Umbraco 9