Hello, we're working on integrating our Kentico 11 portal site with a new AMS that uses Auth0. I found these two devnet articles about integrating Auth0 with Kentico:
https://devnet.kentico.com/articles/integrating-auth0-with-kentico
https://devnet.kentico.com/articles/integrating-custom-claims-based-authentication-with-kentico
However, the Nuget package mentioned in those articles has been removed due to a security vulnerability:
https://github.com/auth0/auth0-aspnet/blob/master/SECURITY-NOTICE.md
Using code borrowed from the Auth0 ASP.NET (OWIN) quickstart (they don’t have a web forms version) at https://auth0.com/docs/quickstart/webapp/aspnet-owin/01-login and a tutorial I found for integration OWIN authentication with web forms, here's where I'm at so far:
To start, as a proof of concept just to make sure I could get an Auth0 integration working in the context of web forms, I set up a standalone website project with domain https://dev.rhythm.kellenams.com/owintest. I configured the test application in our Auth0 tenant and modified the website project using these steps:
-
Installed the following nuget packages:
Microsoft.Owin.Security.OpenIdConnect
Microsoft.Owin.Security.Cookies
Microsoft.Owin.Host.SystemWeb
-
Added the following keys to the web.config (the first four are populated with real values, just removed here for security):
<add key="auth0:Domain" value="xxxx" />
<add key="auth0:ClientId" value="xxxx" />
<add key="auth0:ClientSecret" value="xxxx" />
<add key="auth0:Audience" value="xxxx" />
<add key="auth0:RedirectUri" value="https://dev.rhythm.kellenams.com/owintest/callback" />
<add key="auth0:PostLogoutRedirectUri" value="https://dev.rhythm.kellenams.com/owintest" />
-
Added Startup.Auth.cs and Startup.cs files in the /App_Code folder
-
Set up a test .aspx page with the following in the code behind (claimstest.aspx is another test page that outputs the claims info returned from Auth0 after logging in):
HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties
{
RedirectUri = "/owinTest/Rhythm/claimstest.aspx"
},
"Auth0");
That all worked as expected: when I went to my test page, I was redirected to the Auth0 login form; after logging in, I was passed back to claimstest.aspx, and the correct claims info was displayed for the logged in user.
Next I took all those same steps with one of our Kentico 11 dev sites, http://kentico.ahia.kellenams.com. I know the documentation talks about how to create a custom module class to handle security events, but at first I was just trying to test in the context of a test page rather than hook into the general authentication events. The main issue seems to be with the callback function specified in this web.config value:
<add key="auth0:RedirectUri" value="http://kentico.ahia.kellenams.com/callback" />
As far as I understand, this callback is built into the OWIN middleware and handles the exchange of the access token for the JWT and extracts the claims info. At first I was having trouble getting the site to recognize the callback at all and was getting a 404 error, but I was able to solve that by adding the url to the list of exclusions under Settings > URLs and SEO > URL format > Excluded URLs. Now when I load my test page, it correctly redirects to the Auth0 login page initially, but after I log in and am passed back to http://kentico.ahia.kellenams.com/callback, I get this error:
Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[NullReferenceException: Object reference not set to an instance of an object.]
CMS.Base.StringExtensions.StartsWithCSafe(String value, String str, Boolean ignoreCase) +161
CMS.Helpers.URLHelper.CheckPrefixes(String& path, String[] prefixes, Boolean removePrefix) +56
CMS.Membership.AuthenticationHelper.IsAuthenticationRedirect() +267
CMS.Membership.MembershipHandlers.HandleAuthenticationRedirect(Object sender, EventArgs e) +9
CMS.Base.AbstractHandler.CallEventHandler(EventHandler`
1 h, TArgs e) +114
CMS.Base.AbstractHandler.Raise(String partName, List`
1 list, TArgs e, Boolean important) +962
CMS.Base.SimpleHandler`
2.RaiseExecute(TArgs e) +144
CMS.Base.SimpleHandler`
2.StartEvent(TArgs e) +235
CMS.Base.ApplicationModule.EndRequest(Object sender, EventArgs e) +41
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +141
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +74
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +92
After that, I set up a custom module class as outlined in https://docs.xperience.io/k11/custom-development/handling-global-events/handling-custom-external-authentication, but that didn’t make a difference – I don’t think those events are being hit yet in my test flow.
I also tried setting up a custom handler and setting the auth0:RedirectUri variable in the web config to that instead, and it did hit that handler url, but produced the same error message. If I navigate to the custom handler directly, it executes properly (all it does for now is redirect to the homepage as a test), so it seems to be something about the way it’s being called during the handoff between Auth0 and the site.
Does anyone have any suggestions about what might be happening during the callback, or anything else I might have configured incorrectly? Has anyone else successfully gotten an Auth0 integration working with a portal site?