How to setup Content Delivery API with Entra ID (formerly Azure AD) and OpenIDConnect

  • Updated

<1> Setup Entra ID for CMS

Following the steps in the docs below to config Entra ID (formerly Azure AD) with CMS
https://support.optimizely.com/hc/en-us/articles/20767067525773

 

<2> Integrated CD with Entra ID into CMS site

Step 1: Install JwtBearer and content delivery API package:

Note: You can add the package directly to “.csproj” file to install like this
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="6.0.23" />
<PackageReference Include="EPiServer.ContentDeliveryApi.Cms" Version="3.9.0" />
<PackageReference Include="EPiServer.ContentDefinitionsApi" Version="3.9.0" />
<PackageReference Include="EPiServer.ContentManagementApi" Version="3.9.0" />

Step 2: Update Startup.cs file

// AAD Auth info
           var clientId = _configuration["Authentication:AzureClientID"];
           var clientSecret = "YOUR CLIENT SECRET ";
           var callbackPath = "/signin-oidc";
           var azureAuthority = _configuration["Authentication:azureAuthority"];
           var cookieSchema = "azure-cookie";
           var challengeSchema = "azure";
           var oidcConfig = new ConfigurationManager<OpenIdConnectConfiguration>($"{azureAuthority}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever()).GetConfigurationAsync().Result;
   
// Authentication Config
           services
             .AddAuthentication(options =>
             {
                 options.DefaultAuthenticateScheme = cookieSchema;
                 options.DefaultChallengeScheme = challengeSchema;
             })
             .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme,
                 options =>
                 {
                     options.TokenValidationParameters = new TokenValidationParameters
                     {
                         ValidIssuer = azureAuthority,
                         ValidateIssuer = true,
                         ValidAudience = clientId,
                         ValidateAudience = true,
                         ValidateLifetime = true,
                         IssuerSigningKeys = oidcConfig.SigningKeys,
                         ValidateIssuerSigningKey = true
                     };
                  })
             .AddCookie(cookieSchema, options =>
             {
                 //same as last docs~~~
             })

              .AddOpenIdConnect(challengeSchema, options =>
             {
               //same as last docs~~~
             })

// Add content delivery config

            services.AddContentDeliveryApi(JwtBearerDefaults.AuthenticationScheme)
               .WithFriendlyUrl()
               .WithSiteBasedCors();

            services.AddContentDefinitionsApi(c =>
           {
               c.DisableScopeValidation = true;
           });

            services.AddContentManagementApi(c =>
           {
              c.DisableScopeValidation = true;
           });

 

Step 3: Try to test the CD API

  1. Make sure you can log in to the CMS using the Entra ID account from Section 1
  2. After accessing Admin mode, set up a page that is not visible to Everyone but Administrators only


  3. This page has ID = 9 so we will send a request to get this content in Postman but with no authentication first. It should return a 401 Unauthorized error as this content will not be visible for Everyone Query: https://localhost:5000/api/episerver/v3.0/content/9


  4. In this example, we will get the JWT to communicate with CD using the URL: https://login.microsoftonline.com/{TENNANTID}/oauth2/v2.0/token For more information: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc#authorization-request In this case, we will use the id_token to authenticate. Decode the token we can see that has 3 roles



  5. Try to get the content again with the Bearer token and the content should return now