Configure a non-interactive client login

Abstract

How to configure Sitecore to accept a non-interactive client login using a client credential flow.

To enable non-interactive client logins using client credential flows with your Sitecore instance, you must add additional configurations to your Identity Server and Content Management instances.

To configure a non-interactive client login:

  1. On the Sitecore Identity Server role, in the Config/ folder, create a file named Sitecore.IdentityServer.DevEx.xml containing the following:

    <?xml version="1.0" encoding="utf-8"?>
    <Settings>
      <Sitecore>
        <IdentityServer>
          <Clients>
            <!-- used to authenticate servers with client id and client secret -->
            <CliServerClient>
                <ClientId>SitecoreCLIServer</ClientId>
                <ClientName>SitecoreCLIServer</ClientName>
                <AccessTokenType>0</AccessTokenType>
                <AccessTokenLifetimeInSeconds>3600</AccessTokenLifetimeInSeconds>
                <IdentityTokenLifetimeInSeconds>3600</IdentityTokenLifetimeInSeconds>
                <RequireClientSecret>true</RequireClientSecret>
                <AllowOfflineAccess>false</AllowOfflineAccess>
                <AllowedGrantTypes>
                    <!--
                        client_credentials authenticates with client ID and client secret
                        which is good for CI, tools, etc. However, it's not tied to a USER,
                        it's tied to a client ID.
                    -->
                    <AllowedGrantType1>client_credentials</AllowedGrantType1>
                </AllowedGrantTypes>
                <ClientSecrets>
                    <!--<ClientSecret1>SUPERLONGSECRETHERE</ClientSecret1>-->
                </ClientSecrets>
                <AllowedScopes>
                    <!-- this is required even if not a 'user' for Sitecore to like us -->
                    <AllowedScope1>sitecore.profile.api</AllowedScope1>
                </AllowedScopes>
            </CliServerClient>
          </Clients>
        </IdentityServer>
      </Sitecore>
    </Settings>
    
  2. Name the <CliServerClient> element anything that you like.

    Note

    You can make unlimited client configurations under the <Clients> element as long as they are uniquely named.

  3. In the <ClientId> element, type the unique ID of your client and.

  4. In the <ClientSecrets> element, create a <ClientSecret1> element containing the secret of your client.

  5. Save the Sitecore.IdenityServer.DevEx.xml file.

  6. On the Sitecore Content Management role, in the App_Config/Include/ folder, create a file named Sitecore.Owin.Authentication.ClientCredentialsMapping.config containing the following:

    <?xml version="1.0" encoding="utf-8"?>
    <configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/" xmlns:set="http://www.sitecore.net/xmlconfig/set/">
      <sitecore role:require="Standalone or ContentDelivery or ContentManagement">
        <federatedAuthentication>
          <identityProviders>
            <identityProvider id="SitecoreIdentityServer" type="Sitecore.Owin.Authentication.IdentityServer.IdentityServerProvider, Sitecore.Owin.Authentication.IdentityServer" resolve="true">
              <transformations hint="list:AddTransformation">
                <transformation name="admin-ify client credentials users" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication">
                  <sources hint="raw:AddSource">
                    <claim name="client_id" value="SitecoreCLIServer" />
                  </sources>
                  <targets hint="raw:AddTarget">
                    <claim name="name" value="sitecore\superuser" />
                    <claim name="http://www.sitecore.net/identity/claims/isAdmin" value="true" />
                  </targets>
                  <keepSource>true</keepSource>
                </transformation>
              </transformations>
              
            </identityProvider>
          </identityProviders>
        </federatedAuthentication>
      </sitecore>
    </configuration>
  7. In the <claim name="client_id"> element, in the value attribute, type the unique ID of your client.

  8. Save the Sitecore.Owin.Authentication.ClientCredentialsMapping.config file.

  9. Restart the Sitecore Identity Server and the Content Management roles.

  10. Validate your configuration by performing the client login procedure described in the CLI authentication and authorization documentation.