How to setup Content Delivery API with Entra ID (formerly Azure AD) and OpenIDConnect

  • Updated

<1> Setup Entra ID for CMS

Following the steps in the docs below to config Entra ID (formerly Azure AD) with CMS


<2> Integrated CD with Entra ID into CMS site

Step 1: Install JwtBearer and content delivery API package:

Note: You can add the package directly to “.csproj” file to install like this
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="6.0.23" />
<PackageReference Include="EPiServer.ContentDeliveryApi.Cms" Version="3.9.0" />
<PackageReference Include="EPiServer.ContentDefinitionsApi" Version="3.9.0" />
<PackageReference Include="EPiServer.ContentManagementApi" Version="3.9.0" />

Step 2: Update Startup.cs file

// AAD Auth info
           var clientId = _configuration["Authentication:AzureClientID"];
           var clientSecret = "YOUR CLIENT SECRET ";
           var callbackPath = "/signin-oidc";
           var azureAuthority = _configuration["Authentication:azureAuthority"];
           var cookieSchema = "azure-cookie";
           var challengeSchema = "azure";
           var oidcConfig = new ConfigurationManager<OpenIdConnectConfiguration>($"{azureAuthority}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever()).GetConfigurationAsync().Result;
// Authentication Config
             .AddAuthentication(options =>
                 options.DefaultAuthenticateScheme = cookieSchema;
                 options.DefaultChallengeScheme = challengeSchema;
                 options =>
                     options.TokenValidationParameters = new TokenValidationParameters
                         ValidIssuer = azureAuthority,
                         ValidateIssuer = true,
                         ValidAudience = clientId,
                         ValidateAudience = true,
                         ValidateLifetime = true,
                         IssuerSigningKeys = oidcConfig.SigningKeys,
                         ValidateIssuerSigningKey = true
             .AddCookie(cookieSchema, options =>
                 //same as last docs~~~

              .AddOpenIdConnect(challengeSchema, options =>
               //same as last docs~~~

// Add content delivery config


            services.AddContentDefinitionsApi(c =>
               c.DisableScopeValidation = true;

            services.AddContentManagementApi(c =>
              c.DisableScopeValidation = true;


Step 3: Try to test the CD API

  1. Make sure you can log in to the CMS using the Entra ID account from Section 1
  2. After accessing Admin mode, set up a page that is not visible to Everyone but Administrators only

  3. This page has ID = 9 so we will send a request to get this content in Postman but with no authentication first. It should return a 401 Unauthorized error as this content will not be visible for Everyone Query: https://localhost:5000/api/episerver/v3.0/content/9

  4. In this example, we will get the JWT to communicate with CD using the URL:{TENNANTID}/oauth2/v2.0/token For more information: In this case, we will use the id_token to authenticate. Decode the token we can see that has 3 roles

  5. Try to get the content again with the Bearer token and the content should return now