Configure a non-interactive client login

To enable non-interactive client logins using client credential flows with your Sitecore XM or XP instance, you must add additional configurations to your Identity Server and Content Management instances.

Note

This procedure is not valid against an Experience Manager(XM) Cloud instance. To use login commands non-interactively against an XM Cloud instance you must create an authentication/automation client in XM Cloud Deploy app. You use the client credentials with the dotnet sitecore cloud login command.

To configure a non-interactive client login:

  1. On the Sitecore Identity Server, in the Config/ folder, create a file named Sitecore.IdentityServer.DevEx.xml containing the following:

    RequestResponsexml
    <?xml version="1.0" encoding="utf-8"?>
<Settings>
  <Sitecore>
    <IdentityServer>
      <Clients>
        <!-- used to authenticate servers with client id and client secret -->
        <CliServerClient>
            <ClientId>SitecoreCLIServer</ClientId>
            <ClientName>SitecoreCLIServer</ClientName>
            <AccessTokenType>0</AccessTokenType>
            <AccessTokenLifetimeInSeconds>3600</AccessTokenLifetimeInSeconds>
            <IdentityTokenLifetimeInSeconds>3600</IdentityTokenLifetimeInSeconds>
            <RequireClientSecret>true</RequireClientSecret>
            <AllowOfflineAccess>false</AllowOfflineAccess>
            <AllowedGrantTypes>
                <!--
                    client_credentials authenticates with client ID and client secret
                    which is good for CI, tools, etc. However, it's not tied to a USER,
                    it's tied to a client ID.
                -->
                <AllowedGrantType1>client_credentials</AllowedGrantType1>
            </AllowedGrantTypes>
            <ClientSecrets>
                <!--<ClientSecret1>SUPERLONGSECRETHERE</ClientSecret1>-->
            </ClientSecrets>
            <AllowedScopes>
                <!-- this is required even if not a 'user' for Sitecore to like us -->
                <AllowedScope1>sitecore.profile.api</AllowedScope1>
            </AllowedScopes>
        </CliServerClient>
      </Clients>
    </IdentityServer>
  </Sitecore>
</Settings>

  2. Name the <CliServerClient> element using the <ClientName> element. Use a suggestive name that helps you identify the purpose of the client. For example, SitecoreCLIServerNotAdmin.

    Note

    You can create unlimited client configurations under the <Clients> element as long as they have unique names.

  3. In the <ClientId> element, enter the unique ID of your client.

  4. In the <ClientSecrets> element, create a <ClientSecret1> element containing the secret of your client.

    Note

    The maximum supported length for a client secret is 100 characters.

  5. Save the Sitecore.IdentityServer.DevEx.xml file.

  6. On the Sitecore Content Management server, in the App_Config/Include/ folder, create a file named Sitecore.Owin.Authentication.ClientCredentialsMapping.config containing the following:

    RequestResponsexml
    <?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/" xmlns:set="http://www.sitecore.net/xmlconfig/set/">
  <sitecore role:require="Standalone or ContentDelivery or ContentManagement">
    <federatedAuthentication>
      <identityProviders>
        <identityProvider id="SitecoreIdentityServer" type="Sitecore.Owin.Authentication.IdentityServer.IdentityServerProvider, Sitecore.Owin.Authentication.IdentityServer" resolve="true">
          <transformations hint="list:AddTransformation">
            <transformation name="admin-ify client credentials users" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication">
              <sources hint="raw:AddSource">
                <claim name="client_id" value="SitecoreCLIServer" />
              </sources>
              <targets hint="raw:AddTarget">
                <claim name="name" value="sitecore\superuser" />
                <claim name="http://www.sitecore.net/identity/claims/isAdmin" value="true" />
              </targets>
              <keepSource>true</keepSource>
            </transformation>
          </transformations>
          
        </identityProvider>
      </identityProviders>
    </federatedAuthentication>
  </sitecore>
</configuration>

  7. In the <claim name="client_id"> element, in the value attribute, enter the unique ID of your client.

  8. Check your SQL Membership provider in the web.config file. If the solution has the requiresUniqueEmail attribute set to true, add the following configuration line to the Sitecore.Owin.Authentication.ClientCredentialsMapping.config file:

    RequestResponseshell
    <targets hint="raw:AddTarget">
    ...
    <claim name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="your@email.com" />
</targets>

  9. Save the Sitecore.Owin.Authentication.ClientCredentialsMapping.config file.

  10. Restart the Sitecore Identity Server and the Content Management roles.

  11. Recycle the Sitecore Identity Server application pool.

  12. Validate your configuration by performing the client login procedure described in the CLI authentication and authorization documentation.

Do you have some feedback for us?

If you have suggestions for improving this article,