Disclaimer: This website requires Please enable JavaScript in your browser settings for the best experience.

HomeDev GuideRecipesAPI Reference
Dev GuideAPI ReferenceUser GuideLegal TermsGitHubNuGetDev CommunityOptimizely AcademySubmit a ticketLog In
Dev Guide

PaaS CMS Core + OpenID

How to use the EPiServer OpenIDConnect addon.

Prerequisites

You must have the following to use PaaS CMS Core and OpenID:

  • Empty or existing Optimizely CMS.
  • Install EPiServer.OpenIDConnect add-on.
  • Postman.

CMS setup

  1. Open your Optimizely CMS solution and install theEPiServer.OpenIDConnect addon.
dotnet add EPiServer.OpenIDConnect
  1. Open the Startup.cs file and add this sample line of code.
services.AddOpenIDConnect<ApplicationUser>(
            useDevelopmentCertificate: true,
            signingCertificate: null,
            encryptionCertificate: null,
            createSchema: true,
            options =>
            {
                var baseUri = new Uri(_frontendUri);// _frontendUri is your application client url
                options.RequireHttps = !_webHostingEnvironment.IsDevelopment();
                options.DisableTokenPruning = true;
                options.DisableSlidingRefreshTokenExpiration = true;

                options.Applications.Add(new OpenIDConnectApplication
                {
                    ClientId = "frontend",
                    Scopes = { "openid", "offline_access", "profile", "email", "roles", ContentDeliveryApiOptionsDefaults.Scope },
                    PostLogoutRedirectUris = { baseUri },
                    RedirectUris =
                    {
                        new Uri(baseUri, "/api/auth/callback/optimizely_cms"),
                        new Uri("https://oauth.pstmn.io/v1/callback") // for trying out with postman purpose
                    },
                });
            });

        services.AddOpenIDConnectUI();

        // No encrypt the token so it's easier to debug, not recommend for production.
        services.AddOpenIddict()
            .AddServer(options => options.DisableAccessTokenEncryption());
  1. Run the website.

Try it out using Postman

  1. Import https://cg.optimizely.com/app/swagger/swagger.json to the Postman collection.
  2. Set up the variable for the collection, which includes:
    • baseUrl – https://cg.optimizely.com
    • appKey – your AppKey
    • appSecret – your AppSecret
  1. Set up the Authorization method. For simplicity, it should be Basic Auth, and put your appKey and appSecret as Username and Password.
  1. Update OIDC configs for EPiServer OpenIdConnect, they are:
    • audience – {{your_clientId}} eg: frontend
    • issuer – {{your_CMS_URL}} eg: http://localhost:8082/

📘

Note

You can get these two values from ID Token

eyJhbGciOiJSUzI1NiIsImtpZCI6IkY3RUVBN0UzQTJCODhGOUVFMDRBNjczNzEyRENGQTAwRjhBNEQxOEQiLCJ4NXQiOiI5LTZuNDZLNGo1N2dTbWMzRXR6NkFQaWswWTAiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiIxMTdkM2UwYy03ZDMwLTQyMGUtYWYxYi02ZTczZGVmOTEwNDciLCJvaV9hdV9pZCI6IjgxZWRlYTIzLTZmZDgtNDQ5Ny05MDY1LWZmNzk4M2E0YjhmOCIsImF6cCI6ImZyb250ZW5kIiwiYXRfaGFzaCI6IlBrYW93ZVRidExHNWx4alZOZEgwRmciLCJvaV90a25faWQiOiJlODVmMTdlNC1jMDg4LTRlODQtOTI3ZC1hNDU2MzczZDU2YTQiLCJhdWQiOiJmcm9udGVuZCIsImV4cCI6MTcwMzU2MzQxMSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgyLyIsImlhdCI6MTcwMzU2MjIxMX0.NuuTGBOxDsvatOZgQAc6zwISbn-DAyQcSi3kWVKywU58h_4inNYPEvFY3wTdLrWN9vIg6lsWexEeF5_rx58np3aIUNIpuqrXTed0tsPCrGvQcEljs39epwbcEYtxZnSUIelMSwZQF4nXlAELQemQhukVdQu5zrJIAQLAQ176cAp7QG7Y1eEn5WfGFdxuRCWbBzl_i0SjCWKSYeePeQ8or3cYgCYZ2FmnhoKLJkIfaWdgkh2F1toVpyz4KZKMKJtHMaKF6FZjEcQUm8M8r-YkbPVF7Zm1wDe9cepeMWGjXwouAZW4GAMUVheIdN3TRrend2KMwAizJMOpZQbCFj0NZg
{
  sub 117d3e0c-7d30-420e-af1b-6e73def91047
  oi_au_id 81edea23-6fd8-4497-9065-ff7983a4b8f8
  azp frontend
  at_hash PkaoweTbtLG5lxjVNdH0Fg
  oi_tkn_id e85f17e4-c088-4e84-927d-a456373d56a4
  aud frontend
  exp 1703563411
  iss http://localhost:8082/
  iat 1703562211
}

Generate access token

  1. In Postman, open a new tab.

  2. Select Authorization > Type OAuth 2.0.

  3. Configure New Token.

    • Grant type – Authorization code
    • Callback URL – https://oauth.pstmn.io/v1/callback
    • Authorized using browser – Select it.
    • Auth URL – http://localhost:8082/api/episerver/connect/authorize
    • Access Token URL – http://localhost:8082/api/episerver/connect/token`
    • Client ID – fill your value
    • Client Secret – fill your value
    • Scope – openid offline_access profile email roles
  4. Click Get New Access Token

Send GraphQL query with an access token

Start query restricted content items with headers: cg-username, cg-roles, cg-tenant-id, and the access_token.

curl --location 'https://cg.optimizely.com/content/v2' \
--header 'cg-tenant-id: 0375753b0b5d43e99934d029b20e3767e' \
--header 'cg-roles: administrators' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiI5NmNiMTUyZS0wMzE2LTQxNTgtOTNmMC1hOWNkZDk4YjI2ZTciLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83YzRhMWI3OS00YjhlLTRhYzctYjdlMS1jNWMzYzVhNGMxMzkvIiwiaWF0IjoxNzAzNTg2MDMwLCJuYmYiOjE3MDM1ODYwMzAsImV4cCI6MTcwMzU4OTkzMCwiYWlvIjoiQVpRQWEvOFZBQUFBL3lLMHdRd05kSFFrQjhjdmp2Qkl1dDAwQzF6Snl5elNJaTQ1Nlk5ZmZVWnQ4ZlRhTy9Qd0YwUlIwbjBYL0FXSGV1Y1JaVXhDc25YZUg1RkhFOFhkQUhNWm1JNmJpMFJzTEFwU3hJcytmNGp1a3dXL3B6ZUluNktXbEN3UFR0YlBJRUN6YTJNVEFRWWZVREZaTWRReEN6dWtRTGwrZDZ0STZFV29IS041UHhsL2JGOE9QSzc4V3lrUnBIbEVPU1d1IiwiYW1yIjpbInB3ZCIsIm1mYSJdLCJlbWFpbCI6IlF1YW5nLlRyYW5AZXBpc2VydmVyLmNvbSIsImZhbWlseV9uYW1lIjoiVHJhbiIsImdpdmVuX25hbWUiOiJNYW5oIFF1YW5nIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvM2VjMDBkNzktMDIxYS00MmQ0LWFhYzgtZGNiMzU5NzNkZmYyLyIsImlwYWRkciI6IjEwMy4zNy4yOS4xMDYiLCJuYW1lIjoiUXVhbmcgVHJhbiIsIm9pZCI6IjRhMWM2YTY4LTIyYjctNDViMS05MjZiLThmMzk2MjhhMzc0NCIsInJoIjoiMC5BVEFBZVJ0S2ZJNUx4MHEzNGNYRHhhVEJPUzRWeTVZV0ExaEJrX0NwemRtTEp1Y3dBSTguIiwicm9sZXMiOlsiRXZlcnlvbmUiLCJDb250ZW50LkVkaXRvcnMiLCJDb250ZW50LkFkbWlucyIsIkFkbWluaXN0cmF0b3JzIl0sInN1YiI6IjQ0WnhYRFl5cFZuaFhXM3VfXzFJeW9aUWduR2J6ZllQRWVFTGotQnpnUVUiLCJ0aWQiOiI3YzRhMWI3OS00YjhlLTRhYzctYjdlMS1jNWMzYzVhNGMxMzkiLCJ1bmlxdWVfbmFtZSI6InF1YW5nLnRyYW5AZXBpc2VydmVyLmNvbSIsInV0aSI6IkN4Z1JIMk1wOWtLd2YxUVRqQzVfQVEiLCJ2ZXIiOiIxLjAifQ.u_qpkNvXRzkYy0yrVvbXLOetWVpAOyjKLTe1I_eKo72r2JtpidaQCnHRQejQuC3WYOBIbJGRPcmtw5HvDdCobhg6WJNNux4SIDufG2AxD1cq_d-ThEtPaYR0ZbUQEYeW83HYUYLqyl4wEkOVgZdCv3vBuuABGAlQIxu8_VjCR89k-pawKic7hykhy4Flp7Bx2rz6LyBKYPwY8eb9kDWtXIqGT3Pp38BBQp2VFkV4Lm71lCgYJMCOA_3b3LHjVknwtvnqL785yY5wCKNhe-yC_kTbWuOGYGaw67V6J-goJ4RYZOGRgr5kMalmNJB5USeWPkEboV8oAeIlVgDghd9ypw' \
--data '{"query":"query MyQuery {\n  ArtistDetailsPage {\n    items {\n      ArtistName\n      ArtistGenre\n      ArtistIsHeadliner\n      Ancestors\n      ArtistDescription\n      ArtistPhoto\n      Status\n    }\n  }\n}","variables":{}}'