I recently had to hook OAuth 2.0 / OpenID Connect authentication into Sitecore (for the published site, not the CMS) and struggled to find good implementation examples online – so I decided to publish a simple module to GitHub. You can find it here: https://github.com/heikof/sitecore-openidconnect – this post outlines how it works and how to install and use it.
Context / Limitations
The implementation currently assumes an implicit flow and has been built against a provider based on IdentityServer3. In the future I am planning to add support for other flows and showcase the use of other providers – but at this stage this is merely a simple example implementation for OpenID Connect. Hence I have also decided to not (yet) provide a ready-to-use package.
How it works
The implementation is centred across 2 simple processors in the HttpRequestBegin pipeline. The first one is the LoginRedirector which checks whether the user has access to the item he is requesting. If he does not have access and is not authenticated yet, the request is bounced to the OpenId Connect Provider. The second processor is the OAuthSignInCallback which is invoked after the user successfully authenticated at the provider and the provider invoked the callback URL. This processor validates the token provided from the OpenId Connect Provider, creates a user with roles based on the claims provided and signs the user in as a virtual user.
How to use it
- Configure your provider. Ensure you set up the correct scopes (e.g. including roles), configure the correct callback URL and client ID.
- Build the module (standalone or use the classes in your project) and configure the settings for the Sitecore pipeline processors in the patch file provided.
- Configure an instance of the IClaimsMapper interface in dependency injection. I have provided a sample OpenIdClaimsMapper which works fine against IdendityServer3.
- Secure items in Sitecore. Simply break inheritance or deny read access for the extranet\Anonymous user on the parent item of your logged-in section
Now when an anonymous user browses to the secured item, he will be redirected to the OpenId Connect Provider for login and after the successful handshake, the user is logged in as a virtual user wiht the correct roles assigned (based on claims).