Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Marco Graziotti 39 posts 165 karma points c-trib
    Jul 16, 2021 @ 10:01
    Marco Graziotti
    0

    Identity Server 4 and backoffice external login in Umbraco 9

    Hi,

    I'm trying to retrieve some information about the possibility to implement Identity Server 4 for the backoffice login in Umbraco 9.

    I saw that in ConfigureServices() it's possible to use AddBackOfficeExternalLogins(). Is there any reference guide to implement a third party backoffice login service? Any suggestions?

    I also found this discussion that seems interesting.

    Thank you, Marco

  • Keith 53 posts 214 karma points
    Jul 20, 2021 @ 23:35
    Keith
    2

    Hi Marco,

    This is the code I used on that other discussion you linked to. It worked for me using Azure AD B2C, but I would imagine the config is very similar for Identity Server 4.

    Its not fully tested and Im sure someone will post something better, but might be of use to you.

                services.AddUmbraco(_env, _config)
                .AddBackOffice()
                // new code
                .AddBackOfficeExternalLogins(builder =>
                    builder.AddBackOfficeLogin(
                        new BackOfficeExternalLoginProviderOptions(
                            "btn-primary", // button stype
                            "fa-windows", // icon
                            new ExternalSignInAutoLinkOptions(
                                true, // autolink
                                null, // default groups,
                                null, //default culture,
                                true), //allowManualLinking
                            true, // deny local login
                            false, // autoredirect local login to external login
                            null), // custom backoffice view
                        build =>
                            build.AddOpenIdConnect(
                                build.SchemeForBackOffice(OpenIdConnectDefaults.AuthenticationScheme),
                                "AD B2C",
                                options =>
                                {
                                    options.RemoteSignOutPath = "/oidc-signout";
                                    options.MetadataAddress = "path-to-my /.well-known";
                                    options.ClientId = "my-client-id";
                                    options.SignedOutRedirectUri = "https://myumbracosite.com/umbraco";
                                    options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                                    {
                                        NameClaimType = "name"
                                    };
                                }
                            )
                    )
                )
                // end of new code
                .AddWebsite()
                .AddComposers()
                .Build();
    

    "autolink" is what is used to automatically create an umbraco user when someone signs in with your external provider. Without this, you need to create each umbraco user first, ask them to log in and manually perform a link to their external identity.

  • Marco Graziotti 39 posts 165 karma points c-trib
    Aug 23, 2021 @ 15:56
    Marco Graziotti
    0

    Hi Keith,

    thank you for your reply.

    This snippet was useful, but I couldn't test it because of this bug in Umbraco 9 RC1 (here more details), that should be fixed in the RC2 release.

    I have just updated my solution to RC2, and builder.AddBackOfficeLogin(...) now has the parameters order inverted, from:

    AddBackOfficeLogin(BackOfficeExternalLoginProviderOptions loginProviderOptions, Action<BackOfficeAuthenticationBuilder> build);
    

    to:

    AddBackOfficeLogin(Action<BackOfficeAuthenticationBuilder> build, Action<BackOfficeExternalLoginProviderOptions> loginProviderOptions = null) 
    

    So your code snippet will change like this:

     services.AddUmbraco(_env, _config)
                .AddBackOffice()
                // new code
                .AddBackOfficeExternalLogins(builder =>
                    builder.AddBackOfficeLogin(                   
                        build =>
                            build.AddOpenIdConnect(
                                build.SchemeForBackOffice(OpenIdConnectDefaults.AuthenticationScheme),
                                "AD B2C",
                                options =>
                                {
                                    options.RemoteSignOutPath = "/oidc-signout";
                                    options.MetadataAddress = "path-to-my /.well-known";
                                    options.ClientId = "my-client-id";
                                    options.SignedOutRedirectUri = "https://myumbracosite.com/umbraco";
                                    options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                                    {
                                        NameClaimType = "name"
                                    };
                                }
                            ),
                        options =>
                            new BackOfficeExternalLoginProviderOptions(
                                "btn-primary", // button stype
                                "fa-windows", // icon
                                new ExternalSignInAutoLinkOptions(
                                    true, // autolink
                                    null, // default groups,
                                    null, //default culture,
                                    true), //allowManualLinking
                                true, // deny local login
                                false, // autoredirect local login to external login
                                null), // custom backoffice view
                    )
                )
                // end of new code
                .AddWebsite()
                .AddComposers()
                .Build();
    

    Thank you

  • Gunnar Már Óttarsson 11 posts 44 karma points
    Aug 14, 2021 @ 14:19
    Gunnar Már Óttarsson
    2

    In case you want to use AzureAd to authenticate backoffice users I have working code based off Shannon's pull here

    .AddBackOfficeExternalLogins(extLoginBuilder =>
    {
        var extLoginOpts = new ExternalSignInAutoLinkOptions(
            autoLinkExternalAccount: true,
            defaultUserGroups: new[] { "admin" },
            defaultCulture: "en-US",
            allowManualLinking: true)
        {
            OnExternalLogin = (user, loginInfo) =>
            {
                return true;
            },
        };
    
        var loginProviderOptions = new BackOfficeExternalLoginProviderOptions(
            "btn-microsoft",
            "fa-windows",
            extLoginOpts,
            autoRedirectLoginToExternalProvider: false);
    
        extLoginBuilder.AddBackOfficeLogin(
            loginProviderOptions,
            auth =>
        {
            var azAdConfig = _config.GetSection("AzureAd");
    
            auth
                // https://github.com/umbraco/Umbraco-CMS/pull/9470
                .AddMicrosoftIdentityWebApp(options =>
                {
                    options.CallbackPath = "/umbraco-signin-oidc";
                    options.Instance = "https://login.microsoftonline.com/";
                    options.TenantId = azAdConfig["TenantId"];
                    options.ClientId = azAdConfig["ClientId"];
                    options.SignedOutRedirectUri = "/umbraco";
    
                    // https://github.com/AzureAD/microsoft-identity-web/issues/749
                    //options.ClaimActions.MapJsonKey(ClaimTypes.Email, ClaimConstants.PreferredUserName);
    
                    // Preferred over IClaimsTransformation which runs for every AuthenticateAsync
                    options.Events.OnTokenValidated = ctx =>
                    {
                        var username = ctx.Principal?.Claims.FirstOrDefault(c => c.Type == ClaimConstants.PreferredUserName);
                        if (username != null && ctx.Principal?.Identity is ClaimsIdentity claimsIdentity)
                        {
                            claimsIdentity.AddClaim(
                                new Claim(
                                    ClaimTypes.Email,
                                    username.Value
                                )
                            );
                        }
    
                        return Task.CompletedTask;
                    };
                },
                openIdConnectScheme: auth.SchemeForBackOffice(Constants.AzureAd),
                cookieScheme: "Fake")
                ;
        });
    })
    
  • Marco Graziotti 39 posts 165 karma points c-trib
    Aug 23, 2021 @ 16:00
    Marco Graziotti
    0

    Thank you Gunnar for your reply. I will try also this code.

    Marco

  • Dale McCutcheon 32 posts 135 karma points
    Sep 17, 2021 @ 09:22
    Dale McCutcheon
    0

    Hi Gunnar,

    I'm not able to get this code working I can't reference .AddMicrosoftIdentityWebApp(options => as this just says it does not exist.

    Can you give any further information on this? or what i might be missing?

    THanks Dale

  • Thomas 274 posts 555 karma points c-trib
    Jan 13, 2022 @ 09:05
    Thomas
    0

    What am I missing here?

    enter image description here

  • Gunnar Már Óttarsson 11 posts 44 karma points
    Sep 17, 2021 @ 12:26
    Gunnar Már Óttarsson
    0

    You are likely missing Microsoft.Identity.Web in my code i was using 1.15.2

  • John A 6 posts 27 karma points
    Feb 07, 2022 @ 15:59
    John A
    0

    Gunnar

    Thanks for sharing this for BackOffice. Do you have any samples to share for Umbraco 9 AzureB2C Auth for Members? Appreciate any help you can provide, thanks.

Please Sign in or register to post replies

Write your reply to:

Draft