Content Delivery API: configuring OAuth



We're trying to configure OAuth in our setup of the Content Delivery API, and have followed the instructions in the official documentation for doing so: 

We have added the EPiServer.ContentApi.OAuth NuGet package, and then added the following line in Startup.cs (as per the official documentation, and also as explained in this accepted answer on the developers forum:

app.UseContentApiIdentityOAuthAuthorization<ApplicationUserManager<ApplicationUser>, ApplicationUser>(new ContentApiOAuthOptions()
      RequireSsl = false

However, none of the explanations in the referenced links contain information about the implementation of ApplicationUserManager and ApplicationUser. Are we supposed to implement them ourselves? In that case, do you have any documentation on how they should be implemented?

- Thomas

Edited, Aug 27, 2019 8:57

Did you find any inputs on it. I am on same issue currently.

Mar 03, 2020 23:05
Thomas Wolff - Mar 04, 2020 7:14
No, we have decided not to use OAuth in our case after all, so we have not looked further into this.


You can use the default implementation of CMS UI for both ApplicationUserManager and ApplicationUser. Alloy sample site for Content Delivery already has the sample configuration in Startup.cs, you can check it out to investigate more. 

Mar 30, 2020 3:42

What did you end up using instead of OAuth?

Sep 12, 2020 4:46


If you haven't set up the OWIN authentication before adding the OAuth package, have a look at this documentation page. It basically details how to set up ASP.Net Identity authentication, which can then be used to access the Content Delivery API, through the OAuth package.

Usually you can follow the first three steps on the page, and skip the rest of the page.

Sep 13, 2020 16:41

I was using OIDC framework with OKTA in my startup so figured out I just had to use well known open id configuration endpoint. This is what I used and seems to work fine.

var authority = OpenIDConfiguration.Authority;
var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
authority + "/.well-known/openid-configuration",
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever());

new JwtBearerAuthenticationOptions
AuthenticationMode = AuthenticationMode.Active,

TokenValidationParameters = new TokenValidationParameters()
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = OpenIDConfiguration.Permission,
ValidateAudience = false,
ValidIssuer = authority,

IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
var discoveryDocument = Task.Run(() => configurationManager.GetConfigurationAsync()).GetAwaiter().GetResult();
return discoveryDocument.SigningKeys;


Dec 07, 2020 14:33

It seems what people are usually after requires the removal of the CD API OAuth-packages (those are only needed in case you need integration between local AspNetIdentity and need a local token provider) and instead use OIDC for auth in general and lean on either Cookie security or validating token on their own.

Similar thread:

Example on how to do it on my blog:

Edited, Jan 11, 2021 15:58
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.