Disclaimer: This website requires Please enable JavaScript in your browser settings for the best experience.

Dev GuideRecipesAPI ReferenceChangelogDiscussions
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunityOptimizely AcademySubmit a ticketLog In
Dev Guide

PaaS CMS Core + OpenID

How to use the Open ID Connect app (add-on).

Prerequisites

You must have the following to use PaaS CMS Core and OpenID:

  • Empty or existing Optimizely CMS.
  • Install EPiServer.OpenIDConnect add-on.
  • Postman.

CMS setup

  1. Open your Optimizely CMS solution and install theEPiServer.OpenIDConnect addon.

    dotnet add EPiServer.OpenIDConnect
  2. Open the Startup.cs file and add this sample line of code.

    services.AddOpenIDConnect < ApplicationUser > (
      useDevelopmentCertificate: true,
      signingCertificate: null,
      encryptionCertificate: null,
      createSchema: true,
      options => {
        var baseUri = new Uri(_frontendUri); // _frontendUri is your application client url
        options.RequireHttps = !_webHostingEnvironment.IsDevelopment();
        options.DisableTokenPruning = true;
        options.DisableSlidingRefreshTokenExpiration = true;
    
        options.Applications.Add(new OpenIDConnectApplication {
          ClientId = "frontend",
            Scopes = {
              "openid",
              "offline_access",
              "profile",
              "email",
              "roles",
              ContentDeliveryApiOptionsDefaults.Scope
            },
            PostLogoutRedirectUris = {
              baseUri
            },
            RedirectUris = {
              new Uri(baseUri, "/api/auth/callback/optimizely_cms"),
              new Uri("https://oauth.pstmn.io/v1/callback") // for trying out with postman purpose
            },
        });
      });
    
    services.AddOpenIDConnectUI();
    
    // No encrypt the token so it's easier to debug, not recommend for production.
    services.AddOpenIddict()
      .AddServer(options => options.DisableAccessTokenEncryption());
  3. Run the website.

Try it out using Postman

  1. Import https://cg.optimizely.com/app/swagger/swagger.json to the Postman collection.

  2. Set up the variable for the collection, which includes:

    • baseUrlhttps://cg.optimizely.com

    • appKey – your AppKey

    • appSecret – your AppSecret

  3. Set up the Authorization method. For simplicity, it should be Basic Auth, and put your appKey and appSecret as Username and Password.

  4. Update OIDC configs for EPiServer OpenIdConnect, they are:

    • audience – {{your_clientId}} eg: frontend
    • issuer – {{your_CMS_URL}} eg: http://localhost:8082/
      📘

      Note

      You can get these two values from ID Toke

      eyJhbGciOiJSUzI1NiIsImtpZCI6IkY3RUVBN0UzQTJCODhGOUVFMDRBNjczNzEyRENGQTAwRjhBNEQxOEQiLCJ4NXQiOiI5LTZuNDZLNGo1N2dTbWMzRXR6NkFQaWswWTAiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiIxMTdkM2UwYy03ZDMwLTQyMGUtYWYxYi02ZTczZGVmOTEwNDciLCJvaV9hdV9pZCI6IjgxZWRlYTIzLTZmZDgtNDQ5Ny05MDY1LWZmNzk4M2E0YjhmOCIsImF6cCI6ImZyb250ZW5kIiwiYXRfaGFzaCI6IlBrYW93ZVRidExHNWx4alZOZEgwRmciLCJvaV90a25faWQiOiJlODVmMTdlNC1jMDg4LTRlODQtOTI3ZC1hNDU2MzczZDU2YTQiLCJhdWQiOiJmcm9udGVuZCIsImV4cCI6MTcwMzU2MzQxMSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgyLyIsImlhdCI6MTcwMzU2MjIxMX0.NuuTGBOxDsvatOZgQAc6zwISbn-DAyQcSi3kWVKywU58h_4inNYPEvFY3wTdLrWN9vIg6lsWexEeF5_rx58np3aIUNIpuqrXTed0tsPCrGvQcEljs39epwbcEYtxZnSUIelMSwZQF4nXlAELQemQhukVdQu5zrJIAQLAQ176cAp7QG7Y1eEn5WfGFdxuRCWbBzl_i0SjCWKSYeePeQ8or3cYgCYZ2FmnhoKLJkIfaWdgkh2F1toVpyz4KZKMKJtHMaKF6FZjEcQUm8M8r-YkbPVF7Zm1wDe9cepeMWGjXwouAZW4GAMUVheIdN3TRrend2KMwAizJMOpZQbCFj0NZg
      {
        sub 117d3e0c-7d30-420e-af1b-6e73def91047
        oi_au_id 81edea23-6fd8-4497-9065-ff7983a4b8f8
        azp frontend
        at_hash PkaoweTbtLG5lxjVNdH0Fg
        oi_tkn_id e85f17e4-c088-4e84-927d-a456373d56a4
        aud frontend
        exp 1703563411
        iss http://localhost:8082/
        iat 1703562211
      }

Generate access token

  1. In Postman, open a new tab.

  2. Select Authorization > Type OAuth 2.0.

  3. Configure New Token.

    • Grant type – Authorization code
    • Callback URLhttps://oauth.pstmn.io/v1/callback
    • Authorized using browser – Select it.
    • Auth URLhttp://localhost:8082/api/episerver/connect/authorize
    • Access Token URL – http://localhost:8082/api/episerver/connect/token`
    • Client ID – fill your value
    • Client Secret – fill your value
    • Scopeopenid offline_access profile email roles
  4. Click Get New Access Token

Send GraphQL query with an access token

Query the restricted content items with cg-tenant-id header and access_token value in Authorization header.

curl --location 'https://cg.optimizely.com/content/v2' \
--header 'Content-Type: application/json' \
--header 'cg-tenant-id: 0375753b0b5d43e99934d029b20e3767e' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiI5NmNiMTUyZS0wMzE2LTQxNTgtOTNmMC1hOWNkZDk4YjI2ZTciLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83YzRhMWI3OS00YjhlLTRhYzctYjdlMS1jNWMzYzVhNGMxMzkvIiwiaWF0IjoxNzAzNTg2MDMwLCJuYmYiOjE3MDM1ODYwMzAsImV4cCI6MTcwMzU4OTkzMCwiYWlvIjoiQVpRQWEvOFZBQUFBL3lLMHdRd05kSFFrQjhjdmp2Qkl1dDAwQzF6Snl5elNJaTQ1Nlk5ZmZVWnQ4ZlRhTy9Qd0YwUlIwbjBYL0FXSGV1Y1JaVXhDc25YZUg1RkhFOFhkQUhNWm1JNmJpMFJzTEFwU3hJcytmNGp1a3dXL3B6ZUluNktXbEN3UFR0YlBJRUN6YTJNVEFRWWZVREZaTWRReEN6dWtRTGwrZDZ0STZFV29IS041UHhsL2JGOE9QSzc4V3lrUnBIbEVPU1d1IiwiYW1yIjpbInB3ZCIsIm1mYSJdLCJlbWFpbCI6IlF1YW5nLlRyYW5AZXBpc2VydmVyLmNvbSIsImZhbWlseV9uYW1lIjoiVHJhbiIsImdpdmVuX25hbWUiOiJNYW5oIFF1YW5nIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvM2VjMDBkNzktMDIxYS00MmQ0LWFhYzgtZGNiMzU5NzNkZmYyLyIsImlwYWRkciI6IjEwMy4zNy4yOS4xMDYiLCJuYW1lIjoiUXVhbmcgVHJhbiIsIm9pZCI6IjRhMWM2YTY4LTIyYjctNDViMS05MjZiLThmMzk2MjhhMzc0NCIsInJoIjoiMC5BVEFBZVJ0S2ZJNUx4MHEzNGNYRHhhVEJPUzRWeTVZV0ExaEJrX0NwemRtTEp1Y3dBSTguIiwicm9sZXMiOlsiRXZlcnlvbmUiLCJDb250ZW50LkVkaXRvcnMiLCJDb250ZW50LkFkbWlucyIsIkFkbWluaXN0cmF0b3JzIl0sInN1YiI6IjQ0WnhYRFl5cFZuaFhXM3VfXzFJeW9aUWduR2J6ZllQRWVFTGotQnpnUVUiLCJ0aWQiOiI3YzRhMWI3OS00YjhlLTRhYzctYjdlMS1jNWMzYzVhNGMxMzkiLCJ1bmlxdWVfbmFtZSI6InF1YW5nLnRyYW5AZXBpc2VydmVyLmNvbSIsInV0aSI6IkN4Z1JIMk1wOWtLd2YxUVRqQzVfQVEiLCJ2ZXIiOiIxLjAifQ.u_qpkNvXRzkYy0yrVvbXLOetWVpAOyjKLTe1I_eKo72r2JtpidaQCnHRQejQuC3WYOBIbJGRPcmtw5HvDdCobhg6WJNNux4SIDufG2AxD1cq_d-ThEtPaYR0ZbUQEYeW83HYUYLqyl4wEkOVgZdCv3vBuuABGAlQIxu8_VjCR89k-pawKic7hykhy4Flp7Bx2rz6LyBKYPwY8eb9kDWtXIqGT3Pp38BBQp2VFkV4Lm71lCgYJMCOA_3b3LHjVknwtvnqL785yY5wCKNhe-yC_kTbWuOGYGaw67V6J-goJ4RYZOGRgr5kMalmNJB5USeWPkEboV8oAeIlVgDghd9ypw' \
--data '{"query":"query MyQuery {\n  ArtistDetailsPage {\n    items {\n      ArtistName\n      ArtistGenre\n      ArtistIsHeadliner\n      Ancestors\n      ArtistDescription\n      ArtistPhoto\n      Status\n    }\n  }\n}","variables":{}}'