Skip to main content

Sitecore Custom API Issue with Federation Authentication

Sitecore Custom API Issue with Federation Authentication

In earlier segments, detailed in Part 1 and Part 2 of the blogs on Keycloak Integration with Sitecore, I introduced Keycloak functionality for CM login. Concurrently, I addressed a necessity to develop custom APIs for retrieving Sitecore users and roles.

Following the development of custom APIs, during authentication failures, the API erroneously returned a status code of 200 instead of 401.


The problem arose because API requests were being routed through the "owin.identityProviders" pipeline, which was not intended for API usage.

Solution:

When OWIN identifies a 401 response and the AuthenticationMode is set to "Active," it fails to capture the URL hash included in the request.

Another choice is to activate the "Passive" AuthenticationMode, wherein OWIN refrains from actively intercepting 401 responses. In passive mode, your application needs to explicitly issue a Challenge to trigger the OWIN authorization process.

To resolve this problem, I implemented a Passive mode like so: 'AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive', which successfully resolved the issue.
 public class KeycloakIdentityProvider : IdentityProvidersProcessor   
   {   
    protected override string IdentityProviderName => "keycloak";   
    private string ClientId => Settings.GetSetting(KeycloakSettings.ClientId, "");   
    private string ClientSecret => Settings.GetSetting(KeycloakSettings.ClientSecret, "");   
    private string Authority => Settings.GetSetting(KeycloakSettings.Authority, "");   
    private string MetadataAddress => Settings.GetSetting(KeycloakSettings.MetadataAddress, "");   
    private string RedirectURL => Settings.GetSetting(KeycloakSettings.RedirectURL, "");   
    private readonly string OpenIdScope = OpenIdConnectScope.OpenIdProfile + " email";   
    private readonly string idToken = "id_token";   
    private readonly string accessDeniedRelativePath = "/custom/errorpages/Forbidden.aspx";   
    public KeycloakIdentityProvider(FederatedAuthenticationConfiguration federatedAuthenticationConfiguration, Microsoft.Owin.Infrastructure.ICookieManager cookieManager, BaseSettings settings) : base(federatedAuthenticationConfiguration, cookieManager, settings)   
    {   
    }   
    protected IdentityProvider IdentityProvider { get; set; }   
    protected override void ProcessCore(IdentityProvidersArgs args)   
    {   
     IdentityProvider = this.GetIdentityProvider();   
     var httphandler = new HttpClientHandler();   
     httphandler.DefaultProxyCredentials = CredentialCache.DefaultCredentials;   
     httphandler.CheckCertificateRevocationList = true;   
     httphandler.ServerCertificateCustomValidationCallback = (message, cert, chain, sslPolicyErrors) =>   
     {   
      return true;   
     };   
     var options = new OpenIdConnectAuthenticationOptions   
     {    
      AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
      BackchannelHttpHandler = httphandler,   
      //Backchannel = httpclient,   
      RequireHttpsMetadata = false,   
      MetadataAddress = MetadataAddress,   
      ClientId = ClientId,   
      ClientSecret = ClientSecret,   
      Authority = Authority,   
      RedirectUri = RedirectURL,   
      ResponseType = OpenIdConnectResponseType.Code,   
      Scope = OpenIdScope,   
      AuthenticationType = IdentityProvider.Name,   
      RedeemCode = true,   
      TokenValidationParameters = new TokenValidationParameters   
      {   
       NameClaimType = "name"   
      },   
      Notifications = new OpenIdConnectAuthenticationNotifications   
      {   
       RedirectToIdentityProvider = notification =>   
       {   
        if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)   
        {   
         if (Sitecore.Context.User.IsAuthenticated)   
         {   
          notification.HandleResponse();   
          notification.Response.Redirect(Settings.GetSetting("Identity.sso.launchpad"));   
         }   
         else   
         {   
          notification.ProtocolMessage.SetParameter("kc_idp_hint", "saml");   
         }   
        }   
        if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)   
        {   
         // If signing out, add the id_token_hint   
         var idTokenClaim = notification.OwinContext.Authentication.User.FindFirst(idToken);   
         if (idTokenClaim != null)   
          notification.ProtocolMessage.IdTokenHint = idTokenClaim.Value;   
        }   
        return System.Threading.Tasks.Task.CompletedTask;   
       }   
      }   
     };   
     args.App.UseKentorOwinCookieSaver();   
     args.App.UseOpenIdConnectAuthentication(options);   
    }   
   }
Labels:

Comments

Post a Comment

Popular posts from this blog

Azure AD Integration with Sitecore 10.2

 Azure AD Integration with Sitecore 10.2 Sitecore identity server that comes with Sitecore 9.1 allows you to log in through an external identity provider like Azure Active Directory, Facebook, Apple, or Google. It is built on Federation Authentication. What is Federation Authentication? Federation authentication is a technology to allows users to access multiples application, tools, and domains using one credential. Using one set of credential user can access multiple applications, and resources after authentication.  Federation authentication consists of two systems, the Identity provider and the Service provider. Identity providers that maintain/create/manage identity information like name, email address, device, and location. Some examples of identity providers are Azure AD, Google, Facebook, and Apple. Service providers basically refer to a website, software, or app that the user is trying to access and SP basically relies on the identity provider to authenticate the user and provi
Post a Comment
Read more

Sitecore 10.2 - “Failed to start service ‘Sitecore Marketing Automation Engine’” on Windows 11

Sitecore 10.2 - “Failed to start service ‘Sitecore Marketing Automation Engine' ” on Windows 11 Today I started to install Sitecore 10.2 using Sitecore Instance Manager on Windows 11 and I got this issue “Failed to start service ‘Sitecore Marketing Automation Engine' ” . Error : On event viewer it was showing the below error: I also tried to run ‘ Sitecore.MAEngine.exe ’ like this C:\Windows\system32>C:\inetpub\wwwroot\sclocal102xconnect.dev.local\App_Data\jobs\continuous\AutomationEngine\Sitecore.MAEngine.exe Which was throwing below error: Starting Marketing Automation Engine... 2022-01-29 22:21:11 ERR Error initializing XConnect client. System.AggregateException: One or more errors occurred. ---> Sitecore.XConnect.XdbCollectionUnavailableException: An error occurred while sending the request. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected err
Post a Comment
Read more

Sitecore CDP Certification - Tips and Tricks

Sitecore CDP Certification - Tips and Tricks Recently I completed Sitecore CDP (Customer Data Platform) certification. In this blog, I will share my personal experience and the steps I took to successfully complete the Sitecore CDP certification. Before diving into the certification journey, I researched various resources to plan my preparation effectively: CDP Certificate Competency  Competency 1: Customer Data Platform Competency 2: Real-time Behavior Data Ingestion Competency 3: Interactive API Competency 4: Batch Data Ingestion Competency 5: Audience Sync and Batch Segments Official Documentation https://doc.sitecore.com/cdp/en/users/sitecore-cdp/index-en.html   https://doc.sitecore.com/cdp/en/developers/api/index-en.html#UUID-980f86cc-d900-1d49-3523-030e16d197a2  https://doc.sitecore.com/cdp/ https://learning.sitecore.com/pages/66/sitecore-learning-home CDP & Personalize Mind Map A highly beneficial resource you can discover is the Mind Map . Exam Details The Sitecore CDP Cert
Post a Comment
Read more