Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Søren Müller 3 posts 73 karma points
    Jan 14, 2021 @ 13:26
    Søren Müller
    0

    umbraco user login external openid

    Hi,

    I'm trying to get user login to backoffice to work with third party IDP. So far, I get a login button above the normal umbraco loginprompt. I get redicted to third party login page and after login I get redirected back to umbraco with token. I hould now login, but indtead it just goes to loginpage again . I use the UmbracoCms.IdentityExtensions, Microsoft.Owin.Security.OpenIdConnect++.

    I have been banging my head for 2 days now, hoping some have an idea..:-|

    My code so far:

    In UmbracoStandardOwinStartup::ConfigureUmbracoAuthentication(IAppBuilder app) i call:

    app.ConfigureBackOfficeKeycloakAuth("u-client-bo");
    

    That function is here:

     public static void ConfigureBackOfficeKeycloakAuth(this IAppBuilder app, string clientId,
            string caption = "Login", string style = "btn-google", string icon = "fa-google")
        {
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = persistentAuthType
            });
    
            var identityOptions = new OpenIdConnectAuthenticationOptions
            {
                Caption = caption,
                Authority = "<auth url>",
                ClientId = clientId,
                RedirectUri = "https://localhost:44330/umbraco/",
                PostLogoutRedirectUri = "https://localhost:44330/Umbraco",
                ResponseType = "id_token token",
                Scope = "openid profile roles email",
                MetadataAddress = "<auth url>/realms/umbracoTest/.well-known/openid-configuration",
                SignInAsAuthenticationType = Constants.Security.BackOfficeExternalAuthenticationType
            };
    
            identityOptions.ForUmbracoBackOffice(style, icon);
            identityOptions.Caption = caption;
    
            // Fix Authentication Type 
            identityOptions.AuthenticationType = "<auth url>";
    
            // Configure AutoLinking
            //var autoLinkOptions = new ExternalSignInAutoLinkOptions(true);  // autoLinkExternalAccount = true
            //autoLinkOptions.AllowManualLinking = false;
    
            //identityOptions.SetBackOfficeExternalLoginProviderOptions(new BackOfficeExternalLoginProviderOptions
            //{
            //    AutoRedirectLoginToExternalProvider = false,
            //    DenyLocalLogin = false, // if ANY external provider has this property set, local login will be disabled
            //    AutoLinkOptions = autoLinkOptions
            //});
    
            // not sure if nessesary
            identityOptions.Notifications = new OpenIdConnectAuthenticationNotifications
            {
                SecurityTokenValidated = ClaimsTransformer.GenerateUserIdentityAsync
            };
    
            app.UseOpenIdConnectAuthentication(identityOptions);
        }
    

    and finally

    the ClaimsTransformer.GenerateUserIdentityAsync function:

    public static async Task GenerateUserIdentityAsync(
        SecurityTokenValidatedNotification<OpenIdConnectMessage,
        OpenIdConnectAuthenticationOptions> notification)
    {
        var id = notification.AuthenticationTicket.Identity;
    
        // we want to keep first name, last name, subject and roles
        var givenName = id.FindFirst(ClaimTypes.GivenName);
        if (givenName == null) givenName = id.FindFirst("name");
        var familyName = id.FindFirst(ClaimTypes.Surname);
        if (familyName == null) familyName = id.FindFirst("name");
        var email = id.FindFirst(ClaimTypes.Email);
        if (email == null) email = id.FindFirst(ClaimTypes.Upn);
        var roles = id.FindAll(ClaimTypes.Role);
    
        // create new identity and set name and role claim type
        var nid = new ClaimsIdentity(
          id.AuthenticationType,
          ClaimTypes.GivenName,
          ClaimTypes.Role);
    
        nid.AddClaim(givenName);
        nid.AddClaim(familyName);
        nid.AddClaims(roles);
        nid.AddClaim(id.FindFirst(ClaimTypes.NameIdentifier));
        var emailclaim = new Claim(ClaimTypes.Email, email.Value);
        nid.AddClaim(emailclaim);
    
        notification.AuthenticationTicket = new AuthenticationTicket(nid, notification.AuthenticationTicket.Properties);
    }
    

    Here all the values are correct, i.e. name, email etc,

Please Sign in or register to post replies

Write your reply to:

Draft