Request access token to call a web service with OAuth2

This flow is recommended for applications that can run their logic on a dedicated backend server outside of the browser.

For the purpose of this demo a third party MVC app that lists Sitefinity CMS` news items, that specific user has access to, is created. The recommended OAuth flow for such scenarios is the Authorization code. For more information about OAuth authorization code flow see IETF's The OAuth 2.0 Authorization Framework.

First you must setup a third party app in the Sitefinity CMS backend. 

1. Navigate to Administration » Settings » Advanced » Authentication » OAuthServer » AuthorizedClients.
2. Click Create new.
   The AuthorizedClients page appears
3. Fill out ClientId field.
   For instance, type NewsApp.
4. Fill out Secret field.
   For instance, type testsecret.
5. Expand the newly created NewsApp client.
6. Click RedirectUrls.
7. Click Create new.
8. Add the redirect URL that is going to be used by the third party app. The URL must match exactly the URL used by the app to listen for the authorization code.
   Use the following URL structure: https://<yourdomaim>/callback
9. Click Save changes.
10. Restart Sitefinity CMS.

Then you must configure the server endpoints:

1. Navigate to Administration » Settings » Advanced » Authentication » OAuthServer.
2. Fill out AuthorizeEndpointPath.
   This is a OAuth 2 endpoint for authorizing third party requests. For instance, /sitefinity/oauth/authorize.
3. Fill out TokenEndpointPath.
   This is Oauth 2 endpoint for tokens. For instance, /sitefinity/oauth/token.
4. Fill out AccessTokenTime.
   Indicates for how long the access token is valid in seconds.
5. Fill out RefreshTokenTime.
   Indicate for how long the refresh token is valid in seconds.
   

Next lets create the third party app that will access the news items in Sitefinity.

Here`s the code for the controller. Keep in mind that this is for demo only. You must always use secure network protocols such as TLS. Also this is a bare bones authroization example that does not take advantage of the built in ASP.NET Core helper methods for OAuth2 authentication. Hence you could use it in any kind of application with server side backend. For SPA applications use the implicit flow in a similar bare bones fashion or with JS library of your choice for OAuth2 authorization.

The controller checks for the authorization cookie`s presence and if not triggers authorization request to Sitefinity CMS. There the user is asked to authenticate and then returned to the callback path with the authroization code. There the third party app makes a request using the code to receive access_token for the user which is persisted in the authroization cookie. Finally the user is redirected back to list the news item using the access token stored in the cookie.

This flow is recommended for applications that can run their logic only inside the user`s browser - Single Page Application (SPA)

First, register the SPA in Sitefinity CMS:

1. Navigate to Administration » Settings » Advanced » Authentication » OAuthServer » AuthorizedClients
2. Click Create new.
3. Fill out the ClientID.
   For instance, SPAclient.
   

   NOTE: For implicit flow configuration, you don't need a secret.

4. Click Save changes.
5. Expand the newly created client.
6. Click RedirectUrls.
7. Click Create new.
8. Enter the URL of the callback.html file.
   Use the following URL structure: https://<yourdomaim>/callback.html
9. Click Save changes.
10. Navigate to Administration » Settings » Advanced » Security
11. Fill out the AccessControlAllowOrigin field.
    This is to enable CORS for JS apps to be able to call Sitefinity CMS services. For this demo, enter * to enable all domains. This is not recommended for production environments as this could be a security concern.
12.  Click Save changes.

The next sample shows how to  create a simple JS app that lists all the created news items in Sitefinity that a specific user has access to.

The app checks if there is an access token and if not, it redirects to Sitefinity CMS where the user is authenticated and an access token is returned to the callback.html page. It saves it in the local storage and returns the browser back to the original page where news items allowed for the current user are shown.
For logout functionality you should clear the token from local storage and then also logout from Sitefinity CMS using Sitefinity`s logout rest api. For more information, see Authentication sign out endpoint.

You can also take advantage of refresh tokens so as not to prompt the user again to authenticate if the current access token expires.