PaaS CMS Core + OpenID
How to use the EPiServer OpenIDConnect addon.
Prerequisites
You must have the following to use PaaS CMS Core and OpenID:
- Empty or existing Optimizely CMS.
- Install
EPiServer.OpenIDConnect
add-on. - Postman.
CMS setup
- Open your Optimizely CMS solution and install the
EPiServer.OpenIDConnect
addon.
dotnet add EPiServer.OpenIDConnect
- Open the
Startup.cs
file and add this sample line of code.
services.AddOpenIDConnect<ApplicationUser>(
useDevelopmentCertificate: true,
signingCertificate: null,
encryptionCertificate: null,
createSchema: true,
options =>
{
var baseUri = new Uri(_frontendUri);// _frontendUri is your application client url
options.RequireHttps = !_webHostingEnvironment.IsDevelopment();
options.DisableTokenPruning = true;
options.DisableSlidingRefreshTokenExpiration = true;
options.Applications.Add(new OpenIDConnectApplication
{
ClientId = "frontend",
Scopes = { "openid", "offline_access", "profile", "email", "roles", ContentDeliveryApiOptionsDefaults.Scope },
PostLogoutRedirectUris = { baseUri },
RedirectUris =
{
new Uri(baseUri, "/api/auth/callback/optimizely_cms"),
new Uri("https://oauth.pstmn.io/v1/callback") // for trying out with postman purpose
},
});
});
services.AddOpenIDConnectUI();
// No encrypt the token so it's easier to debug, not recommend for production.
services.AddOpenIddict()
.AddServer(options => options.DisableAccessTokenEncryption());
- Run the website.
Try it out using Postman
- Import
https://cg.optimizely.com/app/swagger/swagger.json
to the Postman collection. - Set up the variable for the collection, which includes:
- baseUrl –
https://cg.optimizely.com
- appKey – your AppKey
- appSecret – your AppSecret
- baseUrl –
- Set up the Authorization method. For simplicity, it should be Basic Auth, and put your appKey and appSecret as Username and Password.
- Update OIDC configs for
EPiServer OpenIdConnect
, they are:- audience – {{your_clientId}} eg:
frontend
- issuer – {{your_CMS_URL}} eg:
http://localhost:8082/
- audience – {{your_clientId}} eg:
Note
You can get these two values from ID Token
eyJhbGciOiJSUzI1NiIsImtpZCI6IkY3RUVBN0UzQTJCODhGOUVFMDRBNjczNzEyRENGQTAwRjhBNEQxOEQiLCJ4NXQiOiI5LTZuNDZLNGo1N2dTbWMzRXR6NkFQaWswWTAiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiIxMTdkM2UwYy03ZDMwLTQyMGUtYWYxYi02ZTczZGVmOTEwNDciLCJvaV9hdV9pZCI6IjgxZWRlYTIzLTZmZDgtNDQ5Ny05MDY1LWZmNzk4M2E0YjhmOCIsImF6cCI6ImZyb250ZW5kIiwiYXRfaGFzaCI6IlBrYW93ZVRidExHNWx4alZOZEgwRmciLCJvaV90a25faWQiOiJlODVmMTdlNC1jMDg4LTRlODQtOTI3ZC1hNDU2MzczZDU2YTQiLCJhdWQiOiJmcm9udGVuZCIsImV4cCI6MTcwMzU2MzQxMSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgyLyIsImlhdCI6MTcwMzU2MjIxMX0.NuuTGBOxDsvatOZgQAc6zwISbn-DAyQcSi3kWVKywU58h_4inNYPEvFY3wTdLrWN9vIg6lsWexEeF5_rx58np3aIUNIpuqrXTed0tsPCrGvQcEljs39epwbcEYtxZnSUIelMSwZQF4nXlAELQemQhukVdQu5zrJIAQLAQ176cAp7QG7Y1eEn5WfGFdxuRCWbBzl_i0SjCWKSYeePeQ8or3cYgCYZ2FmnhoKLJkIfaWdgkh2F1toVpyz4KZKMKJtHMaKF6FZjEcQUm8M8r-YkbPVF7Zm1wDe9cepeMWGjXwouAZW4GAMUVheIdN3TRrend2KMwAizJMOpZQbCFj0NZg
{
sub 117d3e0c-7d30-420e-af1b-6e73def91047
oi_au_id 81edea23-6fd8-4497-9065-ff7983a4b8f8
azp frontend
at_hash PkaoweTbtLG5lxjVNdH0Fg
oi_tkn_id e85f17e4-c088-4e84-927d-a456373d56a4
aud frontend
exp 1703563411
iss http://localhost:8082/
iat 1703562211
}
Generate access token
-
In Postman, open a new tab.
-
Select Authorization > Type OAuth 2.0.
-
Configure New Token.
- Grant type – Authorization code
- Callback URL –
https://oauth.pstmn.io/v1/callback
- Authorized using browser – Select it.
- Auth URL –
http://localhost:8082/api/episerver/connect/authorize
- Access Token URL – http://localhost:8082/api/episerver/connect/token`
- Client ID – fill your value
- Client Secret – fill your value
- Scope –
openid offline_access profile email roles
-
Click Get New Access Token
Send GraphQL query with an access token
Start query restricted content items with headers: cg-username
, cg-roles
, cg-tenant-id
, and the access_token
.
curl --location 'https://cg.optimizely.com/content/v2' \
--header 'cg-tenant-id: 0375753b0b5d43e99934d029b20e3767e' \
--header 'cg-roles: administrators' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiI5NmNiMTUyZS0wMzE2LTQxNTgtOTNmMC1hOWNkZDk4YjI2ZTciLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83YzRhMWI3OS00YjhlLTRhYzctYjdlMS1jNWMzYzVhNGMxMzkvIiwiaWF0IjoxNzAzNTg2MDMwLCJuYmYiOjE3MDM1ODYwMzAsImV4cCI6MTcwMzU4OTkzMCwiYWlvIjoiQVpRQWEvOFZBQUFBL3lLMHdRd05kSFFrQjhjdmp2Qkl1dDAwQzF6Snl5elNJaTQ1Nlk5ZmZVWnQ4ZlRhTy9Qd0YwUlIwbjBYL0FXSGV1Y1JaVXhDc25YZUg1RkhFOFhkQUhNWm1JNmJpMFJzTEFwU3hJcytmNGp1a3dXL3B6ZUluNktXbEN3UFR0YlBJRUN6YTJNVEFRWWZVREZaTWRReEN6dWtRTGwrZDZ0STZFV29IS041UHhsL2JGOE9QSzc4V3lrUnBIbEVPU1d1IiwiYW1yIjpbInB3ZCIsIm1mYSJdLCJlbWFpbCI6IlF1YW5nLlRyYW5AZXBpc2VydmVyLmNvbSIsImZhbWlseV9uYW1lIjoiVHJhbiIsImdpdmVuX25hbWUiOiJNYW5oIFF1YW5nIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvM2VjMDBkNzktMDIxYS00MmQ0LWFhYzgtZGNiMzU5NzNkZmYyLyIsImlwYWRkciI6IjEwMy4zNy4yOS4xMDYiLCJuYW1lIjoiUXVhbmcgVHJhbiIsIm9pZCI6IjRhMWM2YTY4LTIyYjctNDViMS05MjZiLThmMzk2MjhhMzc0NCIsInJoIjoiMC5BVEFBZVJ0S2ZJNUx4MHEzNGNYRHhhVEJPUzRWeTVZV0ExaEJrX0NwemRtTEp1Y3dBSTguIiwicm9sZXMiOlsiRXZlcnlvbmUiLCJDb250ZW50LkVkaXRvcnMiLCJDb250ZW50LkFkbWlucyIsIkFkbWluaXN0cmF0b3JzIl0sInN1YiI6IjQ0WnhYRFl5cFZuaFhXM3VfXzFJeW9aUWduR2J6ZllQRWVFTGotQnpnUVUiLCJ0aWQiOiI3YzRhMWI3OS00YjhlLTRhYzctYjdlMS1jNWMzYzVhNGMxMzkiLCJ1bmlxdWVfbmFtZSI6InF1YW5nLnRyYW5AZXBpc2VydmVyLmNvbSIsInV0aSI6IkN4Z1JIMk1wOWtLd2YxUVRqQzVfQVEiLCJ2ZXIiOiIxLjAifQ.u_qpkNvXRzkYy0yrVvbXLOetWVpAOyjKLTe1I_eKo72r2JtpidaQCnHRQejQuC3WYOBIbJGRPcmtw5HvDdCobhg6WJNNux4SIDufG2AxD1cq_d-ThEtPaYR0ZbUQEYeW83HYUYLqyl4wEkOVgZdCv3vBuuABGAlQIxu8_VjCR89k-pawKic7hykhy4Flp7Bx2rz6LyBKYPwY8eb9kDWtXIqGT3Pp38BBQp2VFkV4Lm71lCgYJMCOA_3b3LHjVknwtvnqL785yY5wCKNhe-yC_kTbWuOGYGaw67V6J-goJ4RYZOGRgr5kMalmNJB5USeWPkEboV8oAeIlVgDghd9ypw' \
--data '{"query":"query MyQuery {\n ArtistDetailsPage {\n items {\n ArtistName\n ArtistGenre\n ArtistIsHeadliner\n Ancestors\n ArtistDescription\n ArtistPhoto\n Status\n }\n }\n}","variables":{}}'
Updated 6 months ago