Security - use cases
Describes security cases for external login providers and IssuerUri in Optimizely Configured Commerce.
Add external login providers
Optimizely Configured Commerce supports Google and Facebook login out of the box for versions 4.1+. Additional login providers could likely be added by adding the relevant OWIN middleware to the ConfigureIdentityProviders method within Startup.Auth.cs. Additional providers can be found at the following links:
- https://identityserver.github.io/Documentation/docsv2/resources/externalAuthentication.html
- https://github.com/RockstarLabs/OwinOAuthProviders
Configure Google/Facebook logins
These logins are enabled by setting the following Application Settings. Changes to these settings will not take place until after the application pool has been recycled.
Application Setting | Value Type | Description |
---|---|---|
ExternalProvider_Facebook_AppId | string | The app id identified by your Facebook application used for Facebook login. |
ExternalProvider_Facebook_AppSecret | string | The app secret identified by your Facebook application used for Facebook login. |
ExternalProvider_Facebook_Enabled | true/false | If true, a Facebook button will appear on the sign in page. |
ExternalProvider_Google_ClientId | string | The client id identified by your Google application used for Google login. |
ExternalProvider_Google_ClientSecret | string | The client secret identified by your Google application used for Google login. |
ExternalProvider_Google_Enabled | true/false | If true, a Google button will appear on the sign in page. |
Set a Google application to generate a ClientId and ClientSecret
- In a browser go to https://console.developers.google.com (log in if you are not logged in already).
- Go to API Manager > Credentials.
- Click New credentials and select OAuth 2.0 client ID.
- Select Web Application.
- Name the application (This will be displayed when users are redirected to Google to login. Once they log in, it will prompt the users and say "{application name} would like to access your profile" or something like that).
- Set the Authorized JavaScript origins to the website URL.
- Set the redirect URLs to the following, replacing the mywebsite part: https://www.mywebsite.com/identity/externalcallback
- Click Create.
- You should now have the clientid and clientsecret.
- Go to the Overview tab.
- In the Social APIs section click Google+ Api and enable it.
- Enter clientid and clientsecret within the Google External Provider Application Settings.
Set a Facebook application to generate an AppId and AppSecret
- In a browser go to https://developers.facebook.com/ (login if you are not logged in already).
- Select My Apps in the header and select Add an app.
- Select WWW.
- Name the application (This will be displayed when users are redirected to Google to login. Once they log in, it will prompt the users and say "{application name} would like to access your profile" or something like that).
- Select a category and create the app.
- Enter your website and click Next.
- Refresh the page.
- In the header select My Apps and the app you just created.
- Click Settings to see your app id and app secret.
- Under Settings set the contact email.
- Under the Status and Review section, set your app to be Live.
- Then in the same section, enable the email and public_profile items.
- Verify on the Dashboard that the API version is 2.5, if it is not, you may need to modify some code in Startup.Auth.cs.
After everything is configured, restart the IIS App Pool to enable the new configuration.
Configure IssuerUri for IndentityServer on Webfarms
The purpose of the IssuerUri option on the IdentityServer is to create tokens and generate the TokenValidationParameters. On token generation, the values for token audience and the issuer is set from the IssuerUri option. On token validation audienceUri is created from the IssuerUri. It doesn't have to be a valid URI, it can be something unique to your company.
A common implementation mistake is made when setting the IdentityServerUrl. If it is set in the app.config to the IP address of the server, then each server would have a unique issuer uri on the access token. If the request is then redirected to a server where the access token doesn't exist, a token error is generated. To correct this, configure the issuerUri with the same values on each server across the webfarm.
For Insite, the issuerUri is set in the startup.auth.cs file. Update the following line of the startup.auth.cs file to a unique URL:
IssuerUri = ConfigurationManager.AppSettings\["IdentityServerUrl"\],
to
IssuerUri = "https://youwebsiteuniqueurl.com"
SecurityOptions.IdentityServerOptions = new IdentityServerOptions
{
SiteName = "Insite Commerce - Identity Server",
IssuerUri = ConfigurationManager.AppSettings["IdentityServerUrl"], CspOptions = new CspOptions { Enabled = false },
SigningCertificate = Certificate.Get(),
Factory = Factory.Configure(ConnectionStringProvider.Current.ConnectionStringName),
CorsPolicy = Thinktecture.IdentityServer.Core.Configuration.CorsPolicy.AllowAll,
AuthenticationOptions = new AuthenticationOptions
{
IdentityProviders = ConfigureIdentityProviders
},
#if DEBUG
RequireSsl = false,
#endif
Updated 9 months ago