Request access token to call a web service with OpenID protocol

This article describes how to use access tokens in HTTP requests to access protected resources such as Sitefinity Web API.

NOTE: This approach is valid only for projects that use the OpenID authentication protocol. For projects on the Default authentication protocol, you must configure Oauth2. For more information, see Configure Oauth2.

You need to perform the following:

  1. Register your app in the Security Token Service, based on IdentityServer3.
  2. Within your app, acquire an access token from the STS.
  3. Add an authorization header Bearer access_token and call the Sitefinity Web API.

Following are two samples demonstrating how to configure your applications with Sitefinity CMS and acquire an access token using the Resource owner flow and the Implicit flow. You can also take a look at the sample MVC application, which can obtain access tokens from Sitefinity CMS with implicit flow and can call the Sitefinity CMS Web API at the GitHub repository.

Resource owner client flow: Request a token by a trusted client

Perform the following:

  1. Navigate to Administration » Settings » Advanced.
  2. In the left pane, expand Authentication » SecurityTokenService » IdentityServer.
  3. Click Clients » Create new.
  4. Fill out the required fields.
    For example, enter the following:
    1. In Client name, enter testApp
    2. In Client Id, enter testApp
    3. Select Enabled checkbox.
    4. In Client flow dropdown box, select ResourceOwner.
    5. Select Allow access to all scopes checkbox.
    6. Save your changes.
  5. Expand the newly created client.
  6. Select Client secret and click Create new.
    1. Enter a secret.
      For example, enter secret
    2. Save your changes.
  7. Select Allow cors origins and click Create new.
    1. Enter the origin that can request tokens from the STS.
      For example, enter http://your-site.com
    2. Save your changes.
  8. Expand Authentication » SecurityTokenService » IdentityServer.
  9. Select Scopes and click Create new.
    1. In Scope name, enter offline_access
    2. In Scope type, enter Resource
  10. Save your changes
  11. To request a token for accessing a protected web services resource, you can use one of the following code samples:
    • JavaScript
      You also need to add the Access-Control-Allow-Origin header to the web.config file and register the domains that can request access tokens. You can register a single domain or allow all domains to request an access token.
    • C#
       

      NOTE: If you have an external project, you must install the official IdentityModel NuGet package. You do not need to do this, if you have already installed Progress.Sitefinity.Authentication NuGet package

For more information about Endpoints, supported by IdentityServer 3, see the following:

Implicit client flow: Request a token by untrusted client

Perform the following:

  1. Navigate to Administration » Settings » Advanced.
  2. In the left pane, expand Authentication » SecurityTokenService » IdentityServer.
  3. Click Clients » Create new.
  4. Fill out the required fields.
    For example, enter the following:
    1. In Client name, enter testApp
    2. In Client Id, enter testApp
    3. Select Enabled checkbox.
    4. In Client flow dropdown box, select Implicit
    5. Save your changes.
  5. Expand the newly created client, select RedirectUris and click Create new.
    Enter the URL of your external app and save your changes.
  6. Select PostLogoutRedirectUris and click Create new.
    Enter the URL of your external app and save your changes.
  7. Using Visual Studio, create an MVC app that uses No authentication.
  8. Install following NuGet packages:
    • Microsoft.Owin
    • Microsoft.Owin.Host.SystemWeb
    • Microsoft.Owin.Security.Cookies
    • Microsoft.Owin.Security.Cookies
    • Microsoft.Owin.Security.OpenIdConnect 
  9. Create a Startup.cs class and add the code inside:

    NOTE: You can configure the STS endpoint to be different from http://yoursitefinitysite/Sitefinity/Authenticate/OpenID/connect.
    To do this, navigate to Administration » Settings » Advanced » Authentication » SecurityTokenService » ServicePath.

 

Call oData services in browser-based JavaScript applications

In this tutorial, you create HTTP requests to access Sitefinity CMS OData services using access tokens with Bearer token authentication. To do this, you use a JavaScript OpenID Connect (OIDC) client OAuth2 protocol support for client-side applications.

In this tutorial, you enable users, authenticated in the backend, to obtain access token and have permissions to view News items via a protected service. You can additionally implement other actions authenticated users can complete, such as modify or delete.

The files you work with in this tutorial are:

  • oidc-client.js
    OIDC client and OAuth2 protocol support for browser-based JavaScript applications.
  • silent.html
    Helper page required to obtain access token.
  • news.html
    A sample page demonstrating how to obtain an access token and call the OData services.

NOTE: In this tutorial, you work with specific versions of the files, listed above. You can download these file versions from the GitHub repository.

PREREQUISITES:

Make sure the authentication protocol is set to OpenID (the default authentication protocol in Sitefinity CMS):

  1. Navigate to Administration -> Advanced settings -> Authentication.
  2. From the Authentication protocol dropdown, select OpenId.

To setup the application and create HTTP requests:

  1. Download the following assets:
  2. Paste the assets in the relevant folders in your web application, for example, paste the OIDC client in the scripts folder.

    NOTE: By default, assets are copied to the root folder of your application.

  3. Open the news.html file:
    In the code above you:
    1. Setup the links to where you pasted the silent.html and oidc-client.js, for example, to the scripts folder where you placed the oidc-client.js file.

      NOTE: By default, the links direct to the root folder.

    2. Configure the OIDC client settings:
      Parameter Value Description 
      authority  http://host:port/Sitefinity/Authenticate/OpenID  The absolute path to the external STS. 
      client_id  sitefinity  The client ID configured in the external STS. 
      silent_redirect_uri  http://host:port/<folder where the silent page is located>/silent.html 

      The URL for the page containing the code handling the silent renew. 

      response_type  id_token token 

      The type of response desired from the OIDC/OAuth2 provider. 

      scope  openid The minimum scope, required by the scenario. 
      automaticSilentRenew  true  Automatically renew the access token on the silent page. 

    NOTE: For a full list of OIDC settings, see GitHub OIDC client settings page.
  4. Restart the application.

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?