Hello,
We are configuring OpenIDConnect during an upgrade to CMS 12 and are plagued with the AccessDenied problem (which I have seen in other posts without a clear solution)
We are forced at the moment to configure the app with "responseType: id_token" due to not being supplied with the secret. So our code contains the following:
.AddCookie("azure-cookie", options =>
{
options.Events.OnSignedIn = async ctx =>
{
if (ctx.Principal?.Identity is ClaimsIdentity claimsIdentity)
{
// Syncs user and roles so they are available to the CMS
var synchronizingUserService = ctx
.HttpContext
.RequestServices
.GetRequiredService<ISynchronizingUserService>();
await synchronizingUserService.SynchronizeAsync(claimsIdentity);
}
};
})
.AddOpenIdConnect("azure", options =>
{
options.SignInScheme = "azure-cookie";
options.SignOutScheme = "azure-cookie";
options.ResponseType = OpenIdConnectResponseType.IdToken;
options.CallbackPath = "/signin-oidc";
options.UsePkce = true;As you can see, the only thing differing from the recommended setup is the option.ResponseType setting. When attempting to access the back office at /episerver/cms, we get redirected to Azure AD login, and when I put a breakpoint in the above code in the OnSignedIn function I can see the role claims containing the expected "WebAdmins" role.
BUT, when continuing we are re-directed to /Account/AccessDenied?ReturnUrl=%2Fepiserver%2Fcms
What are we doing wrong?
Thanks for any help with this, Stephen