-
Notifications
You must be signed in to change notification settings - Fork 2
Setup AAD with Form Headless API
Linh Hoang edited this page Sep 10, 2024
·
1 revision
- Open https://portal.azure.com/#home
- Open Create a resource > Search for
Entra ID
> SelectEntra ID
- Select
Microsoft Entra ID
> ClickCreate
button - Tenant type: Microsoft Entra ID
- Add Details:
- Organization name:
- Initial domain name:
- Country/Region:
- Click
Create
button - Switch to the new directory/tenant:
- Open the directory by clicking the new tenant
- You can switch to a different AD by clicking the User icon on the top right > Switch directory
-
Open the AD > Select Microsoft Entra ID > Click Users menu > Click New user and fill in the data for the created users:
- Administrators: [email protected]
- WebEditor: [email protected]
- WebAdmin: [email protected]
- PWD: password
Notes: Log in to Azure portal https://portal.azure.com with the above user in a different browser to change the password.
- Open Entra ID
- Select
App Registrations
on the left menu > New registration > Fill in the data:- App name:
- Account type:
- Redirect URI: (leave blank)
- Click Register
-
Open the created app registration
-
Select
Authentication
> Click Add a platform > SelectWeb
> Add the following info:- Redirect URIs: https://domain:8000/
- Front-channel logout URL: https://domain:8000/util/Logout
- Check
ID tokens
- Click
Configure
button
Add URIs:
- Add
New client secret
- Click
Add
button > Description: - Get client info:
- Value: (ClientSecret)
- SecretID:
- Select
Token configuration
> Add agroups
claim
- Select
API permissions
> ClickGrant admin consent for AD organization
.
- Select
Expose an API
> ClickAdd
to edit Application ID URI with format: https://{domain}/{registered_app_name}. Refer to Step 1 & 3 for data: - Click
Add a scope
> Fill in the data - Click
Add scope
button
- Open Manifest: Update
appRoles
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Admin the site",
"displayName": "Administrators",
"id": "5d40a133-3be3-4c77-8a72-9ea895c9d9dc",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Administrators"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Admin can manage the site",
"displayName": "WebAdmins",
"id": "15fdcd66-0446-4777-9c6f-132120240227",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "WebAdmins"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Editor can edit the site",
"displayName": "WebEditors",
"id": "9c58404d-f70c-4f9a-9546-64daf963b306",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "WebEditors"
}
]
-
Open Overview > Click Managed application in local directory link
-
Select Users and groups from the left sidebar > Add user/group
-
In Add Assignment page, select:
- User: select the user created from Step 2 or any available user
- Role: select a role which is defined in Manifest settings at Step 9
- Open Entra ID details > Open App registrations > Open app details
- Get the following data:
- Application ID:
- Directory (tenant) ID:
- Created Azure AD for a local site (e.g., https://domain:8000/) and have the data:
- AAD users:
- Administrators: [email protected]
- WebEditor: [email protected]
- WebAdmin: [email protected]
- PWD: devLab08@@
- Authentication information:
- AzureClientID: ""
- AzureTenantID: ""
- Client_Secret: ""
<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="6.x.xx" />
Note: 6.x.xx for net6, 7.x.xx for net7, 8.x.xx for net8
{
"urls": "https://*:8000/",
"AllowedHosts": "*",
"Authentication": {
"AzureClientID": "{client ID}",
"AzureTenantID": "https://login.microsoftonline.com/{tenantID}/v2.0",
"CallbackPath": "/signin-oidc"
}
}
<PackageReference Include="Optimizely.Cms.Forms.Service" Version="0.1.0" />
<PackageReference Include="EPiServer.Forms" Version="5.8.0" />
Change below line into:
services.AddCmsAspNetIdentity<ApplicationUser>()
.AddAdminUserRegistration(options => options.Behavior = RegisterAdminUserBehaviors.Disabled | RegisterAdminUserBehaviors.LocalRequestsOnly);
Configure Headless API with Azure AD:
services.AddOptimizelyFormsService(options =>
{
options.EnableOpenApiDocumentation = true;
options.FormCorsPolicy = new FormCorsPolicy
{
AllowOrigins = new string[] { "*" },
AllowCredentials = true
};
options.OpenIDConnectClients.Add(new()
{
Authority = _configuration["Authentication:azureTenantID"],
Audience = _configuration["Authentication:azureClientID"],
});
});
Get token from azure AD endpoint and pass alone with headless API request
- Post method: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
- client_id: {AzureClientId}
- client_secret: {ClientSecret}
- username/ password = {AAD users}
- scope: User.Read openid profile
- grant_type: password