Configure a non-interactive client login
To enable non-interactive client logins using client credential flows with your Sitecore instance, you must add additional configurations to your Identity Server and Content Management instances.
To configure a non-interactive client login:
-
On the Sitecore Identity Server, in the
Config/
folder, create a file namedSitecore.IdentityServer.DevEx.xml
containing the following:RequestResponse<?xml version="1.0" encoding="utf-8"?> <Settings> <Sitecore> <IdentityServer> <Clients> <!-- used to authenticate servers with client id and client secret --> <CliServerClient> <ClientId>SitecoreCLIServer</ClientId> <ClientName>SitecoreCLIServer</ClientName> <AccessTokenType>0</AccessTokenType> <AccessTokenLifetimeInSeconds>3600</AccessTokenLifetimeInSeconds> <IdentityTokenLifetimeInSeconds>3600</IdentityTokenLifetimeInSeconds> <RequireClientSecret>true</RequireClientSecret> <AllowOfflineAccess>false</AllowOfflineAccess> <AllowedGrantTypes> <!-- client_credentials authenticates with client ID and client secret which is good for CI, tools, etc. However, it's not tied to a USER, it's tied to a client ID. --> <AllowedGrantType1>client_credentials</AllowedGrantType1> </AllowedGrantTypes> <ClientSecrets> <!--<ClientSecret1>SUPERLONGSECRETHERE</ClientSecret1>--> </ClientSecrets> <AllowedScopes> <!-- this is required even if not a 'user' for Sitecore to like us --> <AllowedScope1>sitecore.profile.api</AllowedScope1> </AllowedScopes> </CliServerClient> </Clients> </IdentityServer> </Sitecore> </Settings>
-
Name the
<CliServerClient>
element anything that you like.NoteYou can make unlimited client configurations under the
<Clients>
element as long as they are uniquely named. -
In the
<ClientId>
element, enter the unique ID of your client. -
In the
<ClientSecrets>
element, create a<ClientSecret1>
element containing the secret of your client.NoteThe maximum supported length for a client secret is 100 characters.
-
Save the
Sitecore.IdenityServer.DevEx.xml
file. -
On the Sitecore Content Management server, in the
App_Config/Include/
folder, create a file namedSitecore.Owin.Authentication.ClientCredentialsMapping.config
containing the following:RequestResponse<?xml version="1.0" encoding="utf-8"?> <configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/" xmlns:set="http://www.sitecore.net/xmlconfig/set/"> <sitecore role:require="ContentManagement"> <federatedAuthentication> <identityProviders> <identityProvider id="SitecoreIdentityServer" type="Sitecore.Owin.Authentication.IdentityServer.IdentityServerProvider, Sitecore.Owin.Authentication.IdentityServer" resolve="true"> <transformations hint="list:AddTransformation"> <transformation name="admin-ify client credentials users" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication"> <sources hint="raw:AddSource"> <claim name="client_id" value="SitecoreCLIServer" /> </sources> <targets hint="raw:AddTarget"> <claim name="name" value="sitecore\superuser" /> <claim name="http://www.sitecore.net/identity/claims/isAdmin" value="true" /> </targets> <keepSource>true</keepSource> </transformation> </transformations> </identityProvider> </identityProviders> </federatedAuthentication> </sitecore> </configuration>
-
In the
<claim name="client_id">
element, in thevalue
attribute, enter the unique ID of your client. -
Check your SQL Membership provider in the
web.config
file. If the solution has therequiresUniqueEmail
attribute set totrue
, add the following configuration line to theSitecore.Owin.Authentication.ClientCredentialsMapping.config
file:RequestResponse<targets hint="raw:AddTarget"> ... <claim name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="[email protected]" /> </targets>
-
Save the
Sitecore.Owin.Authentication.ClientCredentialsMapping.config
file. -
Restart the Sitecore Identity Server and the Content Management roles.
-
Recycle the Sitecore Identity Server application pool.
-
Validate your configuration by performing the client login procedure described in the CLI authentication and authorization documentation.