My client has an Umbraco 13 website, hosted on Umbraco Cloud. They have an internal developer who has developed an SPA tool using node.js. They would like for the website to manage members who will then have access to the tool. I am wondering if it would be possible for the external node.js site to access information from the Umbraco site about a member’s logged-in status, and other related info, perhaps via an API endpoint I set up on the Umbraco site?
Example:
Member 1234 logs into the Umbraco website, and is directed to a page with a link which points to the Node site (ex: “https://TOOLS.WEBSITE.COM/TheTool?Member=1234”)
The Node app makes a call to “https://WEBSITE.COM/API/CheckMember?ID=1234” which then returns a JSON blob with info about the member, based on the ID number. (Would we be able to provide a “logged-in” value of True/False considering this is not in the same “session”?)
Sounds like you’d be better off implementing External SSO for the umbraco site, and use the same provider for the node.js site? (passing your data in the returned claims rather than json blobs)
If SSO is needed for multiple sites, it’s recommended to use a dedicated OpenID Connect identity provider (e.g. IdentityServer, Azure AD) and configure Umbraco and other sites as clients to that provider.Umbraco itself does not natively act as an OpenID Connect (OIDC) provider for other sites. It is designed to act as an OIDC client, meaning it uses external OIDC identity providers (such as IdentityServer, Azure AD, Auth0) to authenticate users for the Umbraco backoffice or website members.umbraco+2
Thus, Umbraco can consume OpenID Connect authentication but cannot typically function as an OpenID Connect identity provider for other applications without custom implementation.
So, to clarify, the node.js site would need to have it’s own login functionally, and the Umbraco site would also have it’s own login functionality, but both utilizing the same third party Open ID provider for the authentication?
And in that case, if there was additional data being store about member properties and roles/permissions on the Umbraco site, that data could be securely passed to the node.js site?
I wouldn’t go as far as expertise..
But yes each has it’s own login, but that is using the external SSO in both cases, so if logged in on one you are logged in on the other, via the authentication cookie.
Depending on how much member property data you are talking about, and if it’s only asp.net identity concerns then you could elevate that into the external SSO, and pass via claims.
Alternatively, though not tried this or indeed if it’s correct, using the bearer token from the node.js site should allow you to talk to a memberAuthorised umbraco controller to fetch data (AJAX) from the umbraco site.
The JWT code from Warren, looks like a possibility also, Though perhaps it is assuming the login UI is on the external site, and then it is just passing the data back to the Umbraco site for validating.
Since the requirement is for the Umbraco site to handle the member UI (login,logout, etc), it might take a combination of those approaches in order to make it work.
Seems I’d need to do some testing to figure out the best way you get the two sites talking to each other.
A bunch of SSO providers will handle the UI of login, logout and registration. For instance https://auth0.com/ will handle those for you. I’m not sure if that satisfies the requirement but it’s at least a single UI for both.
I think we’re going to see if we can avoid using a third-party provider, if Umbraco can manage the login and we can use JWT, that might solve our requirements.
Hey, did you manage to solve this?
We would also like to authenticate 3rd party app with our members and our Umbraco server being the login provider.
Is there any docs on that?
So Umbraco needs to be the OAuth provider for your login right? I always find this doc helpful:
This is mostly for headless environments that use the content delivery api to access data. And if you have protected content, you need to authenticate as a member in Umbraco. The idea is exactly the same for other external applications. In short:
Create a login page on your Umbraco instance. The login page example in the document already takes care of a lot of things.
Setup some configuration settings in appSettings.json, like redirect urls etc.
Then the consuming application needs to start a pretty default OAuth flow with Umbraco as the identity provider. I don’t know all the inner working, but we have used member authentication in one of our headless applications (and it’s not for using the delivery api at all, it’s really just for ‘member’ management). It’s a react frontend application. So if you have specific questions, I could see if I can find the answer.
Regarding the Readme of the JWT implementatin of Warren, i have serious doubts it’s the correct way to handle JWT
First of all the JWT is handy to avoid DB hits as the token could contain enough info to authorize the user for any action.
Saving a token in the DB, does this mean that tokens could be long term ? and thus easily shareable ? There are alternatives with refresh tokens which can be really short term.
Return 401.. You should let the user decide, personally returning bullshit data is a better option…
Hi, So we did get it working. In a nutshell, the Members were set up and stored in Umbraco, and upon login (on a front-end page on the Umbraco site), a token was generated. A button was provided to take the member to the external node JS site - via a POST which included the JWT token. Both sites (Umbraco and Node.JS) knew the same secret key for checking the JWT authenticity. The token also included some of the member data which was needed by the Node.JS site for operations.
I can dig out some code samples if you need them (for the Umbraco site - I don’t have access to the source code for the Node JS site)
