This flow is recommended for applications that can run their logic on a dedicated backend server outside of the browser.
For the purpose of this demo a third party MVC app that lists Sitefinity CMS` news items, that specific user has access to, is created.
The recommended OAuth flow for such scenarios is the Authorization code. For more information about OAuth authorization code flow see IETF's The OAuth 2.0 Authorization Framework.
First you must setup a third party app in the Sitefinity CMS backend.
Then you must configure the server endpoints:
Next lets create the third party app that will access the news items in Sitefinity.
Here`s the code for the controller. Keep in mind that this is for demo only. You must always use secure network protocols such as TLS. Also this is a bare bones authroization example that does not take advantage of the built in ASP.NET Core helper methods for OAuth2 authentication. Hence you could use it in any kind of application with server side backend. For SPA applications use the implicit flow in a similar bare bones fashion or with JS library of your choice for OAuth2 authorization.
The controller checks for the authorization cookie`s presence and if not triggers authorization request to Sitefinity CMS. There the user is asked to authenticate and then returned to the callback path with the authroization code. There the third party app makes a request using the code to receive access_token for the user which is persisted in the authroization cookie. Finally the user is redirected back to list the news item using the access token stored in the cookie.
This flow is recommended for applications that can run their logic only inside the user`s browser - Single Page Application (SPA)
First, register the SPA in Sitefinity CMS:
NOTE: For implicit flow configuration, you don't need a secret.
The next sample shows how to create a simple JS app that lists all the created news items in Sitefinity that a specific user has access to.
The app checks if there is an access token and if not, it redirects to Sitefinity CMS where the user is authenticated and an access token is returned to the callback.html page. It saves it in the local storage and returns the browser back to the original page where news items allowed for the current user are shown.
For logout functionality you should clear the token from local storage and then also logout from Sitefinity CMS using Sitefinity`s logout rest api. For more information, see Authentication sign out endpoint.
You can also take advantage of refresh tokens so as not to prompt the user again to authenticate if the current access token expires.
Sign up for our free beginner training. Boost your credentials through advanced courses and certification. Register for Sitefinity training and certification.
To submit feedback, please update your cookie settings and allow the usage of Functional cookies.
Your feedback about this content is important