Dev guideUser Guide
HomeDev guideAPI ReferenceGraphQL
Dev guideUser GuideGitHubNuGetDev CommunitySubmit a ticketLog In
GitHubNuGetDev CommunitySubmit a ticket

SaaS CMS Core + OpenID

How to use SaaS CMS Core and OpenID.

Suggest Edits

Prerequisites

You must have the following to use SaaS CMS Core and OpenID:

  • Optimizely CMS Saas.
  • Azure AD.
  • Postman.

Create Azure AD app and map users roles

  1. Register an app:

    1. From the Azure portal https://portal.azure.com > Microsoft Entra ID > App Registration > New Registration
      • Redirect URI – Frontend app URL (In this example, Postman app is used so the redirect URL is https://oauth.pstmn.io/v1/callback

  2. Map CMS roles to registered application roles:

    1. Check the CMS Dashboard > Settings > Set Access Rights.

    2. From the above figure, create Administrators, Content Admins, Content Editor, Everyone for registered application. From the registered application, App roles > Create app role.

  3. Expose scope role from registered app, Expose an API.

    1. Add a scope:
      • name – Roles
      • Who can consent? – Admins and users
      • State – Enabled
    2. Add a client application:
      • Client ID – Your application client ID, check Overview.
      • Authorized Scopes – Check scope roles.

  4. Assign roles to users.

    1. From Overview > Managed application in local directory. Click on the link, it opens Enterprise Application.

    2. Enterprise Application > Users and groups > Add user/group.

      • Users – Add authorized users.
      • Select a role – A specific role for authorized user (created roles from the previous steps).

Try it out using Postman

Update OIDC config

  1. Import https://cg.optimizely.com/app/swagger/swagger.json to a Postman collection .
  2. Set up the variable for the collection. It includes:
    • baseUrlhttps://cg.optimizely.com
    • appKey – Your AppKey.
    • appSecret – Your AppSecret.

  1. Set up the Authorization method, for simplicity, it should be Basic Auth, and put your appKey and appSecret as Username and Password.

  1. Update OIDC configs, for EPiServer OpenIdConnect, they are:
    • audience – {{your_app_clientId}}
      • For example, 96cb152e-0316-4158-93f0-a9cdd98b28e7 (check Overview section of the registered application).
    • issuer – {{azure ad endpoint}}
      • For example,https://sts.windows.net/{tenant_id}/ (check Overview section of the registered application).

📘

Note

You can get these two values from ID Token.

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiI5NmNiMTUyZS0wMzE2LTQxNTgtOTNmMC1hOWNkZDk4YjI2ZTciLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83YzRhMWI3OS00YjhlLTRhYzctYjdlMS1jNWMzYzVhNGMxMzkvIiwiaWF0IjoxNzAzNTg0MjYzLCJuYmYiOjE3MDM1ODQyNjMsImV4cCI6MTcwMzU4ODE2MywiYWlvIjoiQVpRQWEvOFZBQUFBckViYy82K1NySGhReW1zc2kwSHpvcXBMMUpHbXNWOEhXUnN0bEU4YU9CcEJHa2FhZEJuMnorbS9vc1FTTlREcTlDc0tOYWVuelFHdDNDMzlTQVlyei9HODZhRW1EdFpQRlFlS2M0SEQrb2lKK1ZFMUl4amJyMGx1M014ZG5YY043VGt0aTFXanpUeFFGVWx5Z1hsS2FXOGoxM0d3Zng3TVJWelhiYWJqUHdNS0Z3bnJMbXNLRXhueko1clNHVkEyIiwiYW1yIjpbInB3ZCIsIm1mYSJdLCJlbWFpbCI6IlF1YW5nLlRyYW5AZXBpc2VydmVyLmNvbSIsImZhbWlseV9uYW1lIjoiVHJhbiIsImdpdmVuX25hbWUiOiJNYW5oIFF1YW5nIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvM2VjMDBkNzktMDIxYS00MmQ0LWFhYzgtZGNiMzU5NzNkZmYyLyIsImlwYWRkciI6IjEwMy4zNy4yOS4xMDYiLCJuYW1lIjoiUXVhbmcgVHJhbiIsIm9pZCI6IjRhMWM2YTY4LTIyYjctNDViMS05MjZiLThmMzk2MjhhMzc0NCIsInJoIjoiMC5BVEFBZVJ0S2ZJNUx4MHEzNGNYRHhhVEJPUzRWeTVZV0ExaEJrX0NwemRtTEp1Y3dBSTguIiwicm9sZXMiOlsiRXZlcnlvbmUiLCJDb250ZW50LkVkaXRvcnMiLCJDb250ZW50LkFkbWlucyIsIkFkbWluaXN0cmF0b3JzIl0sInN1YiI6IjQ0WnhYRFl5cFZuaFhXM3VfXzFJeW9aUWduR2J6ZllQRWVFTGotQnpnUVUiLCJ0aWQiOiI3YzRhMWI3OS00YjhlLTRhYzctYjdlMS1jNWMzYzVhNGMxMzkiLCJ1bmlxdWVfbmFtZSI6InF1YW5nLnRyYW5AZXBpc2VydmVyLmNvbSIsInV0aSI6IkhPd25WTEc0cFU2eTRwQ3dJX1lQQVEiLCJ2ZXIiOiIxLjAifQ.VW-r7eqBTqLV3WvT0eXhYrvYHVyrjKH2DZqoXitsg3W-lvl9rZnhn9aR6xmaa6gR0tVoJXsuXb0xbbFItxWfVzb7iuZ6aDAdk5qAl7pSnQUy7OOsz7D_un6dE1VUOhvA1W-Qw0xk_i_d4d35ByW39XquLTsmeiUk8T8I-2D7DIO9GP9JZbMnTrPg7sRrCW2Bv9QgSY7iPUko1mjnHx4MqLXzMgtSGrK1KH2YDfGFU1U9um8Xf1TjR7Ql2XU0LVvvLNB5zX2NqLkxy3bHr3NkAoCaOT3rfKTPUxzLfnOyLeQ2P-W42ZnqiJ7HxR_wsO98FfaIdPPT2qUfnFCF_lQ1XA

{
  aud 96cb152e-0316-4158-93f0-a9cdd98b26e7
  iss https://sts.windows.net/7c4a1b79-4b8e-4ac7-b7e1-c5c3c5a4c139/
  iat 1703584263
  nbf 1703584263
  exp 1703588163
  aio AZQAa/8VAAAArEbc/6+SrHhQymssi0HzoqpL1JGmsV8HWRstlE8aOBpBGkaadBn2z+m/osQSNTDq9CsKNaenzQGt3C39SAYrz/G86aEmDtZPFQeKc4HD+oiJ+VE1Ixjbr0lu3MxdnXcN7Tkti1WjzTxQFUlygXlKaW8j13Gwfx7MRVzXbabjPwMKFwnrLmsKExnzJ5rSGVA2
  amr
     pwd
     mfa
  email [email protected]
  family_name Tran
  given_name Manh Quang
  idp https://sts.windows.net/3ec00d79-021a-42d4-aac8-dcb35973dff2/
  ipaddr 103.37.29.106
  name Quang Tran
  oid 4a1c6a68-22b7-45b1-926b-8f39628a3744
  rh 0.ATAAeRtKfI5Lx0q34cXDxaTBOS4Vy5YWA1hBk_CpzdmLJucwAI8.
  roles
     Everyone
     Content.Editors
     Content.Admins
     Administrators
  sub 44ZxXDYypVnhXW3u__1IyoZQgnGbzfYPEeELj-BzgQU
  tid 7c4a1b79-4b8e-4ac7-b7e1-c5c3c5a4c139
  unique_name [email protected]
  uti HOwnVLG4pU6y4pCwI_YPAQ
  ver 1.0
}

Generate access token

  1. In Postman, open a new tab and select Authorization > Type OAuth 2.0.

  2. Configure New Token.

    • Grant type – Authorization code.
    • Callback URLhttps://oauth.pstmn.io/v1/callback
    • Authorized using browser – Select it.
    • Auth URLhttps://login.windows.net/{tenant_id}/oauth2/authorize
    • Access Token URLhttps://login.windows.net/{tenant_id}/oauth2/token
    • Client ID – Generated Azure app client ID.
    • Client Secret – Generated Azure app client secret.

  3. Click on Get New Access Token.

Send GraphQL query with access token

Start query restricted content items with headers: cg-username, cg-roles, cg-tenant-id and the access_token.

curl --location 'https://cg.optimizely.com/content/v2' \
--header 'cg-tenant-id: 0375753b0b5d43e99934d029b20e3767e' \
--header 'cg-roles: administators' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiI5NmNiMTUyZS0wMzE2LTQxNTgtOTNmMC1hOWNkZDk4YjI2ZTciLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83YzRhMWI3OS00YjhlLTRhYzctYjdlMS1jNWMzYzVhNGMxMzkvIiwiaWF0IjoxNzAzNTg2MDMwLCJuYmYiOjE3MDM1ODYwMzAsImV4cCI6MTcwMzU4OTkzMCwiYWlvIjoiQVpRQWEvOFZBQUFBL3lLMHdRd05kSFFrQjhjdmp2Qkl1dDAwQzF6Snl5elNJaTQ1Nlk5ZmZVWnQ4ZlRhTy9Qd0YwUlIwbjBYL0FXSGV1Y1JaVXhDc25YZUg1RkhFOFhkQUhNWm1JNmJpMFJzTEFwU3hJcytmNGp1a3dXL3B6ZUluNktXbEN3UFR0YlBJRUN6YTJNVEFRWWZVREZaTWRReEN6dWtRTGwrZDZ0STZFV29IS041UHhsL2JGOE9QSzc4V3lrUnBIbEVPU1d1IiwiYW1yIjpbInB3ZCIsIm1mYSJdLCJlbWFpbCI6IlF1YW5nLlRyYW5AZXBpc2VydmVyLmNvbSIsImZhbWlseV9uYW1lIjoiVHJhbiIsImdpdmVuX25hbWUiOiJNYW5oIFF1YW5nIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvM2VjMDBkNzktMDIxYS00MmQ0LWFhYzgtZGNiMzU5NzNkZmYyLyIsImlwYWRkciI6IjEwMy4zNy4yOS4xMDYiLCJuYW1lIjoiUXVhbmcgVHJhbiIsIm9pZCI6IjRhMWM2YTY4LTIyYjctNDViMS05MjZiLThmMzk2MjhhMzc0NCIsInJoIjoiMC5BVEFBZVJ0S2ZJNUx4MHEzNGNYRHhhVEJPUzRWeTVZV0ExaEJrX0NwemRtTEp1Y3dBSTguIiwicm9sZXMiOlsiRXZlcnlvbmUiLCJDb250ZW50LkVkaXRvcnMiLCJDb250ZW50LkFkbWlucyIsIkFkbWluaXN0cmF0b3JzIl0sInN1YiI6IjQ0WnhYRFl5cFZuaFhXM3VfXzFJeW9aUWduR2J6ZllQRWVFTGotQnpnUVUiLCJ0aWQiOiI3YzRhMWI3OS00YjhlLTRhYzctYjdlMS1jNWMzYzVhNGMxMzkiLCJ1bmlxdWVfbmFtZSI6InF1YW5nLnRyYW5AZXBpc2VydmVyLmNvbSIsInV0aSI6IkN4Z1JIMk1wOWtLd2YxUVRqQzVfQVEiLCJ2ZXIiOiIxLjAifQ.u_qpkNvXRzkYy0yrVvbXLOetWVpAOyjKLTe1I_eKo72r2JtpidaQCnHRQejQuC3WYOBIbJGRPcmtw5HvDdCobhg6WJNNux4SIDufG2AxD1cq_d-ThEtPaYR0ZbUQEYeW83HYUYLqyl4wEkOVgZdCv3vBuuABGAlQIxu8_VjCR89k-pawKic7hykhy4Flp7Bx2rz6LyBKYPwY8eb9kDWtXIqGT3Pp38BBQp2VFkV4Lm71lCgYJMCOA_3b3LHjVknwtvnqL785yY5wCKNhe-yC_kTbWuOGYGaw67V6J-goJ4RYZOGRgr5kMalmNJB5USeWPkEboV8oAeIlVgDghd9ypw' \
--data '{"query":"query MyQuery {\n  ArtistDetailsPage {\n    items {\n      ArtistName\n      ArtistGenre\n      ArtistIsHeadliner\n      Ancestors\n      ArtistDescription\n      ArtistPhoto\n      Status\n    }\n  }\n}","variables":{}}'

Updated about 1 month ago