Authenticate Sitecore extranet users using OAuth 2.0 / OpenID Connect

Authenticate Sitecore extranet users using OAuth 2.0 / OpenID Connect

I recently had to hook OAuth 2.0 / OpenID Connect authentication into Sitecore (for the published site, not the CMS) and struggled to find good implementation examples online – so I decided to publish a simple module to GitHub. You can find it here: – this post outlines how it works and how to install and use it.

Context / Limitations

The implementation currently assumes an implicit flow and has been built against a provider based on IdentityServer3. In the future I am planning to add support for other flows and showcase the use of other providers – but at this stage this is merely a simple example implementation for OpenID Connect. Hence I have also decided to not (yet) provide a ready-to-use package.

How it works

The implementation is centred across 2 simple processors in the HttpRequestBegin pipeline. The first one is the LoginRedirector which checks whether the user has access to the item he is requesting. If he does not have access and is not authenticated yet, the request is bounced to the OpenId Connect Provider. The second processor is the OAuthSignInCallback which is invoked after the user successfully authenticated at the provider and the provider invoked the callback URL. This processor validates the token provided from the OpenId Connect Provider, creates a user with roles based on the claims provided and signs the user in as a virtual user.

How to use it

  1. Configure your provider. Ensure you set up the correct scopes (e.g. including roles), configure the correct callback URL and client ID.
  2. Build the module (standalone or use the classes in your project) and configure the settings for the Sitecore pipeline processors in the patch file provided.
  3. Configure an instance of the IClaimsMapper interface in dependency injection. I have provided a sample OpenIdClaimsMapper which works fine against IdendityServer3.
  4. Secure items in Sitecore. Simply break inheritance or deny read access for the extranet\Anonymous user on the parent item of your logged-in section

Now when an anonymous user browses to the secured item, he will be redirected to the OpenId Connect Provider for login and after the successful handshake, the user is logged in as a virtual user wiht the correct roles assigned (based on claims).

Check out the source in GitHub here.

4 thoughts on “Authenticate Sitecore extranet users using OAuth 2.0 / OpenID Connect

  1. I have a requirement to integrate OWIN based the IdentityServer3 with Sitecore, I am using Sitecore 8 with Angular Js for functional aspects, I want to use IdentityServer3 for B2C login for the Sitecore Website, tried multiple approaches, but unsuccessful in finding solution. Do you think that this is possible ? Please post your views.

    1. Yes, the example implementation in this post uses Identity Server. Depending on how you use Angular JS in your front-end this might change slightly (e.g. if your site is a single page app) but the concept is the same.

  2. Very  nice article. This has been very helpful. When would the AuthenticationHelper.Logout() get called ? Thanks in advance.

    1. You would call that from your custom code to trigger a logout, e.g. via a controller action. That’s were the code base is a bit of an incomplete example…

Leave a Reply

Your email address will not be published. Required fields are marked *