Skip to main content

Configure a non-interactive client login

Abstract

How to configure Sitecore to accept a non-interactive client login using a client credential flow.

To enable non-interactive client logins using client credential flows with your Sitecore instance, you must add additional configurations to your Identity Server and Content Management instances.

To configure a non-interactive client login:

  1. On the Sitecore Identity Server, in the Config/ folder, create a file named Sitecore.IdentityServer.DevEx.xml containing the following:

    <?xml version="1.0" encoding="utf-8"?>
<Settings>
  <Sitecore>
    <IdentityServer>
      <Clients>
        <!-- used to authenticate servers with client id and client secret -->
        <CliServerClient>
            <ClientId>SitecoreCLIServer</ClientId>
            <ClientName>SitecoreCLIServer</ClientName>
            <AccessTokenType>0</AccessTokenType>
            <AccessTokenLifetimeInSeconds>3600</AccessTokenLifetimeInSeconds>
            <IdentityTokenLifetimeInSeconds>3600</IdentityTokenLifetimeInSeconds>
            <RequireClientSecret>true</RequireClientSecret>
            <AllowOfflineAccess>false</AllowOfflineAccess>
            <AllowedGrantTypes>
                <!--
                    client_credentials authenticates with client ID and client secret
                    which is good for CI, tools, etc. However, it's not tied to a USER,
                    it's tied to a client ID.
                -->
                <AllowedGrantType1>client_credentials</AllowedGrantType1>
            </AllowedGrantTypes>
            <ClientSecrets>
                <!--<ClientSecret1>SUPERLONGSECRETHERE</ClientSecret1>-->
            </ClientSecrets>
            <AllowedScopes>
                <!-- this is required even if not a 'user' for Sitecore to like us -->
                <AllowedScope1>sitecore.profile.api</AllowedScope1>
            </AllowedScopes>
        </CliServerClient>
      </Clients>
    </IdentityServer>
  </Sitecore>
</Settings>

  2. Name the <CliServerClient> element anything that you like.

    Note

    You can make unlimited client configurations under the <Clients> element as long as they are uniquely named.

  3. In the <ClientId> element, enter the unique ID of your client.

  4. In the <ClientSecrets> element, create a <ClientSecret1> element containing the secret of your client.

    Note

    The maximum supported length for a client secret is 100 characters.

  5. Save the Sitecore.IdenityServer.DevEx.xml file.

  6. On the Sitecore Content Management server, in the App_Config/Include/ folder, create a file named Sitecore.Owin.Authentication.ClientCredentialsMapping.config containing the following:

    <?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/" xmlns:set="http://www.sitecore.net/xmlconfig/set/">
  <sitecore role:require="Standalone or ContentDelivery or ContentManagement">
    <federatedAuthentication>
      <identityProviders>
        <identityProvider id="SitecoreIdentityServer" type="Sitecore.Owin.Authentication.IdentityServer.IdentityServerProvider, Sitecore.Owin.Authentication.IdentityServer" resolve="true">
          <transformations hint="list:AddTransformation">
            <transformation name="admin-ify client credentials users" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication">
              <sources hint="raw:AddSource">
                <claim name="client_id" value="SitecoreCLIServer" />
              </sources>
              <targets hint="raw:AddTarget">
                <claim name="name" value="sitecore\superuser" />
                <claim name="http://www.sitecore.net/identity/claims/isAdmin" value="true" />
              </targets>
              <keepSource>true</keepSource>
            </transformation>
          </transformations>
          
        </identityProvider>
      </identityProviders>
    </federatedAuthentication>
  </sitecore>
</configuration>

  7. In the <claim name="client_id"> element, in the value attribute, enter the unique ID of your client.

  8. Check your SQL Membership provider in the web.config file. If the solution has the requiresUniqueEmail attribute set to true, add the following configuration line to the Sitecore.Owin.Authentication.ClientCredentialsMapping.config file:

    <targets hint="raw:AddTarget">
    ...
    <claim name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="your@email.com" />
</targets>

  9. Save the Sitecore.Owin.Authentication.ClientCredentialsMapping.config file.

  10. Restart the Sitecore Identity Server and the Content Management roles.

  11. Recycle the Sitecore Identity Server application pool.

  12. Validate your configuration by performing the client login procedure described in the CLI authentication and authorization documentation.