Separate admin login when using OpenIdConnect

Vote:
 

Hi!

Is it possible to have some kind of separate login for admin users in episerver, when using OpenIdConnect? We only want the OpenIdConnect for the end users, not editors or admins.

#199143
Nov 16, 2018 13:35
Vote:
 

Hi Torunn 

You still have the issue? 
Are you using the owin implementation and have followed the instructions  https://world.episerver.com/documentation/developer-guides/commerce/security/support-for-openid-connect-in-episerver-commerce/? 

Where are your editors and admins located, are they not in same AD endusers? 

#199511
Edited, Nov 30, 2018 11:46
Vote:
 

Hi!

This is an external identity provider. Normally, the users log in with the sqlmembershipprovider. Since I had to remove the membership provider to be able to use the openidConnect, the only way to log in is through this external service. 

This is not a commerce solution. 

#199629
Dec 04, 2018 8:49
Vote:
 

Hello Torunn

Its possible to configure multiple identity providers for your solution. The following links are useful to find out how:

David

#199643
Dec 04, 2018 11:20
Vote:
 

Hi!

I managed to get this working locally. But in staging I get this error: EPiServer.Web.RoutingUrlRewriteModule: Url is not valid for rewrite. Returning URL /Util/login.aspx?ReturnUrl...

Any idea what I am doing wrong?

#202262
Mar 21, 2019 10:11
Vote:
 

Hi!

So I've gotten past the problem above.

What I really want, is to keep the regular episerver login, but have a openidconnect login for end users that should not log in to episerver. 

Current status, is that I have managed to have two separate logins. I can log in with openidconnect, and I can log in to episerver with username and password. The latter one is solved by manually logging in the user.

EPiServer.Security.PrincipalInfo.CurrentPrincipal = EPiServer.Security.PrincipalInfo.CreatePrincipal(username);
System.Web.Security.FormsAuthentication.SetAuthCookie(username, true);

The regular login form doesn't work, even though I have setup up the multiplexing membership/roleprovider in web.config and <authentication> to forms. When I log in with the custom code, I can't find any of the roles or users. I can create new ones, but they are of type "EPi_AspNetIdentityUserProvider". 

Another problem, is that it doesn't always redirect me to the IdentityServer. Sometimes it takes me to the regular epi login page.

My startup.cs looks like this:

ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
      app.AddCmsAspNetIdentity<ApplicationUser>();
      app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

      app.UseCookieAuthentication(new CookieAuthenticationOptions());

      //Open id authentication
      app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
      {
        ClientId = OicClientId,
        Authority = OicAuthority,
        PostLogoutRedirectUri = OicPostLogoutRedirectUri,
        ResponseType = OicResponseType,
        Scope = OicScopes,
        RequireHttpsMetadata = false,
        RedirectUri = redirectUri,
        
        TokenValidationParameters = new TokenValidationParameters
        {
          ValidateIssuer = false,
          NameClaimType = ClaimTypes.NameIdentifier,
          RoleClaimType = ClaimTypes.Role
        },
        Notifications = new OpenIdConnectAuthenticationNotifications
        {
          AuthenticationFailed = context =>
          {
            context.HandleResponse();
            context.Response.Write(context.Exception.Message);
            return Task.FromResult(0);
          },
          RedirectToIdentityProvider = context =>
          {
            if (context.ProtocolMessage.RedirectUri == null)
            {
              var currentUrl = SiteDefinition.Current.SiteUrl;
              context.ProtocolMessage.RedirectUri = new UriBuilder(
                currentUrl.Scheme,
                currentUrl.Host,
                currentUrl.Port,
                HttpContext.Current.Request.Url.AbsolutePath).ToString();
            }

            //Unathorized
            if (context.OwinContext.Response.StatusCode == 401 && context.OwinContext.Authentication.User.Identity.IsAuthenticated)
            {
              context.OwinContext.Response.StatusCode = 403;
              context.HandleResponse();
            }
            return Task.FromResult(0);
          },
          SecurityTokenValidated = ctx =>
          {
            var redirectUri = new Uri(ctx.AuthenticationTicket.Properties.RedirectUri,
              UriKind.RelativeOrAbsolute);
            if (redirectUri.IsAbsoluteUri)
              ctx.AuthenticationTicket.Properties.RedirectUri = redirectUri.PathAndQuery;

            ServiceLocator.Current.GetInstance<OicSynchronizingUserService>()
              .SynchronizeAsync(ctx.AuthenticationTicket.Identity);
            Logger.Current.LogDebug("Synchronizing: " + ctx.AuthenticationTicket.Identity.IsAuthenticated + ", " + ctx.AuthenticationTicket.Identity.RoleClaimType);

            return Task.FromResult(0);
          },
          SecurityTokenReceived = ctx =>
          {
            return Task.FromResult(0);
          }
        }
      });

      app.UseStageMarker(PipelineStage.Authenticate);

      app.Map(UrlLogin, config =>
      {
        config.Run(ctx =>
        {
          if (ctx.Authentication.User == null || !ctx.Authentication.User.Identity.IsAuthenticated)
            ctx.Response.StatusCode = 401;
          else
            ctx.Response.Redirect("/");
          return Task.FromResult(0);
        });
      });

      app.Map(UrlLogout, config =>
      {
        config.Run(ctx =>
        {
          ctx.Authentication.SignOut();
          return Task.FromResult(0);
        });
      });

      //Tell antiforgery to use the name claim
      AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;
#204294
May 24, 2019 13:02
Vote:
 

The solution is to have AspNetIdentity for editor/admin login, and OpenIdConnect for end users:

https://world.episerver.com/blogs/K-Khan-/Dates/2017/10/migrate-from-sql-membership-to-asp-net-identity/

I used this for migrating users from SqlServer to AspNetIdentity:

https://gist.github.com/khurramkhang/f9110994e6dd771db87e0e26a394c557

#204457
Edited, Jun 03, 2019 14:37
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.