Hi,

I'm trying to get user login to backoffice to work with third party IDP. So far, I get a login button above the normal umbraco loginprompt. I get redicted to third party login page and after login I get redirected back to umbraco with token. I hould now login, but indtead it just goes to loginpage again . I use the UmbracoCms.IdentityExtensions, Microsoft.Owin.Security.OpenIdConnect++.

I have been banging my head for 2 days now, hoping some have an idea..:-|

My code so far:

In UmbracoStandardOwinStartup::ConfigureUmbracoAuthentication(IAppBuilder app) i call:

app.ConfigureBackOfficeKeycloakAuth("u-client-bo");

That function is here:

 public static void ConfigureBackOfficeKeycloakAuth(this IAppBuilder app, string clientId,
        string caption = "Login", string style = "btn-google", string icon = "fa-google")
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = persistentAuthType
        });

        var identityOptions = new OpenIdConnectAuthenticationOptions
        {
            Caption = caption,
            Authority = "<auth url>",
            ClientId = clientId,
            RedirectUri = "https://localhost:44330/umbraco/",
            PostLogoutRedirectUri = "https://localhost:44330/Umbraco",
            ResponseType = "id_token token",
            Scope = "openid profile roles email",
            MetadataAddress = "<auth url>/realms/umbracoTest/.well-known/openid-configuration",
            SignInAsAuthenticationType = Constants.Security.BackOfficeExternalAuthenticationType
        };

        identityOptions.ForUmbracoBackOffice(style, icon);
        identityOptions.Caption = caption;

        // Fix Authentication Type 
        identityOptions.AuthenticationType = "<auth url>";

        // Configure AutoLinking
        //var autoLinkOptions = new ExternalSignInAutoLinkOptions(true);  // autoLinkExternalAccount = true
        //autoLinkOptions.AllowManualLinking = false;

        //identityOptions.SetBackOfficeExternalLoginProviderOptions(new BackOfficeExternalLoginProviderOptions
        //{
        //    AutoRedirectLoginToExternalProvider = false,
        //    DenyLocalLogin = false, // if ANY external provider has this property set, local login will be disabled
        //    AutoLinkOptions = autoLinkOptions
        //});

        // not sure if nessesary
        identityOptions.Notifications = new OpenIdConnectAuthenticationNotifications
        {
            SecurityTokenValidated = ClaimsTransformer.GenerateUserIdentityAsync
        };

        app.UseOpenIdConnectAuthentication(identityOptions);
    }

and finally

the ClaimsTransformer.GenerateUserIdentityAsync function:

public static async Task GenerateUserIdentityAsync(
    SecurityTokenValidatedNotification<OpenIdConnectMessage,
    OpenIdConnectAuthenticationOptions> notification)
{
    var id = notification.AuthenticationTicket.Identity;

    // we want to keep first name, last name, subject and roles
    var givenName = id.FindFirst(ClaimTypes.GivenName);
    if (givenName == null) givenName = id.FindFirst("name");
    var familyName = id.FindFirst(ClaimTypes.Surname);
    if (familyName == null) familyName = id.FindFirst("name");
    var email = id.FindFirst(ClaimTypes.Email);
    if (email == null) email = id.FindFirst(ClaimTypes.Upn);
    var roles = id.FindAll(ClaimTypes.Role);

    // create new identity and set name and role claim type
    var nid = new ClaimsIdentity(
      id.AuthenticationType,
      ClaimTypes.GivenName,
      ClaimTypes.Role);

    nid.AddClaim(givenName);
    nid.AddClaim(familyName);
    nid.AddClaims(roles);
    nid.AddClaim(id.FindFirst(ClaimTypes.NameIdentifier));
    var emailclaim = new Claim(ClaimTypes.Email, email.Value);
    nid.AddClaim(emailclaim);

    notification.AuthenticationTicket = new AuthenticationTicket(nid, notification.AuthenticationTicket.Properties);
}

Here all the values are correct, i.e. name, email etc,