A critical vulnerability was discovered in React Server Components (Next.js). Our systems remain protected but we advise to update packages to newest version. Learn More

AI OnAI Off

Issue with Azure AD Backend / Asp.NET Frontend Authentication provider (CMS 12, Commerce 14)

Van Pham Hong
Van Pham Hong
Vote:
 

I would like to build a login function with AzureAD for backend users and AspNetCore Identity for front-end users. I have followed the steps:

  • POC on the Foundation .NET 5 version: https://github.com/episerver/Foundation/tree/net5
  • Run the foundation project and sign up a new account on the front-end: customer1@example.com
  • Following guide: https://world.optimizely.com/documentation/developer-guides/CMS/security/integrate-azure-ad-using-openid-connect/
    • Install Microsoft.AspNetCore.Authentication.OpenIdConnect version 5.014
    • Comment out services.AddOpenIDConnect with "postman" block code
    • Add connect to AzureAD with an option (on app setting) that allow me to turn on/off this function.
  • //services.AddOpenIDConnect<SiteUser>(options =>
            //{
            //    //options.RequireHttps = !_webHostingEnvironment.IsDevelopment();
            //    var application = new OpenIDConnectApplication()
            //    {
            //        ClientId = "postman-client",
            //        ClientSecret = "postman",
            //        Scopes =
            //        {
            //            ContentDeliveryApiOptionsDefaults.Scope,
            //            ContentManagementApiOptionsDefaults.Scope,
            //            ContentDefinitionsApiOptionsDefaults.Scope,
            //        }
            //    };

            //    // Using Postman for testing purpose.
            //    // The authorization code is sent to postman after successful authentication.
            //    application.RedirectUris.Add(new Uri("https://oauth.pstmn.io/v1/callback"));
            //    options.Applications.Add(application);
            //    options.AllowResourceOwnerPasswordFlow = true;
            //});

            var azureAdConfigSection = _configuration.GetSection("AzureAd");
            var enableAzureAd = azureAdConfigSection.GetValue<bool>("EnableAzureAd");
            if (enableAzureAd)
            {
                services.AddAuthentication(options =>
                {
                    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
                })
                .AddCookie()
                .AddOpenIdConnect(
                    options =>
                    {
                        options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                        options.ClientId = azureAdConfigSection.GetValue<string>("ClientId");
                        options.Authority = "https://login.microsoftonline.com/" + azureAdConfigSection.GetValue<string>("TenantId") + "/v2.0";
                        options.CallbackPath = "/signin-oidc";
                        options.Scope.Add("email");

                        options.TokenValidationParameters = new TokenValidationParameters
                        {
                            ValidateIssuer = false,
                            RoleClaimType = ClaimTypes.Role,
                            NameClaimType = ClaimTypes.Email
                        };

                        options.Events.OnAuthenticationFailed = context =>
                        {
                            context.HandleResponse();
                            context.Response.BodyWriter.WriteAsync(Encoding.ASCII.GetBytes(context.Exception.Message));
                            return Task.FromResult(0);
                        };

                        options.Events.OnTokenValidated = (ctx) =>
                        {
                            var redirectUri = new Uri(ctx.Properties.RedirectUri, UriKind.RelativeOrAbsolute);
                            if (redirectUri.IsAbsoluteUri)
                            {
                                ctx.Properties.RedirectUri = redirectUri.PathAndQuery;
                            }
                            //    
                            //Sync user and the roles to EPiServer in the background
                            ServiceLocator.Current.GetInstance<ISynchronizingUserService>().SynchronizeAsync(ctx.Principal.Identity as ClaimsIdentity);
                            return Task.FromResult(0);
                        };
                    });
            }

Result of "enabled" Azure AD:

  • Successfully log in with my Azure AD account for backend (https://localhost:44397/episerver/cms)
  • But, cannot log in on the font-end with the registered user "customer1@example.com". I have already tested on a new browser, for example, incognito. Here is the details:

When debugging I see that User.Identity.IsAuthenticated is always false after SignInManager SignIn:

Otherwise, if I disable Azure AD, we can get all claim and User.Identity.IsAuthenticated = true.  And we can log in front-end as normal.

Could you please take a look at the issue on the front-end login with AspNetCore Identity if I turn on the login backend with AzureAD?

Any help would be appreciated.

Thank you in advance...

#272374
Edited, Feb 17, 2022 7:58
Mark Hall
Mark Hall
Vote:
 

Authenication schemes work differently in net5.0 Please see Use multiple authentication schemes

#272466
Feb 17, 2022 23:47
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.