Documentation Center

Connecting to from .NET through Access Management

From the .NET client, you can connect to the API through the Access Management application and a configured identity provider.

Before you begin

For authentication through Access Management, you will need to provide a Client ID and Client Secret configured for an Identity Provider in Access Management. You can get these value through either the Access Management user interface or API

About this task

You can use the built-in .NET client Tridion.ContentManager.CoreService.Client.dll, which is located in the following folder of your Content Manager Server:

%TRIDION_HOME%\bin\client\CoreService\

Procedure

  • To connect non-interactively using a service account, do the following steps:
    1. Request the discovery document from Access Management.
    2. Extract the Token Endpoint from the discovery document.
    3. Send a request to the Token Endpoint to and get the access token, providing the ClientId and ClientSecret of your user.
    4. Create the client, and add the access token to its endpoint behaviors.

    The following sample code illustrates that performs these steps:

    CoreServiceClient client = new CoreServiceClient("basicHttp_202101");            
    using(HttpClient httpClient = new HttpClient()) {             
                string authority = client.GetAccessManagementUrlIfEnabled();              
                var discoveryDocument = await httpClient.GetDiscoveryDocumentAsync(new DiscoveryDocumentRequest {                
                      Address = authority,
                      Policy = new DiscoveryPolicy {
                          RequireHttps = false,
                          ValidateIssuerName = false
                      }
                  });
                  var token = await httpClient.RequestClientCredentialsTokenAsync(
                    new ClientCredentialsTokenRequest {
                        Address = discoveryDocument.TokenEndpoint,
                        ClientId = clientId,
                        ClientSecret = clientSecret
                    });              
                 string accessToken = token.AccessToken;
                 client.ChannelFactory.Endpoint.Behaviors.Add(new BearerTokenEndpointBehavior(() => accessToken));
    }
  • To connect interactively by logging in as a user, use the OidcSignInHelper.GetAccessTokenAsync() method from the Tridion.OidcClient.dll library.

    The following sample code illustrates using this method:

    CoreServiceClient client = new CoreServiceClient("basicHttp_202101");
    string authority = client.GetAccessManagementUrlIfEnabled();
    string accessToken = await OidcSignInHelper.GetAccessTokenAsync(authority);
    client.ChannelFactory.Endpoint.Behaviors.Add(new BearerTokenEndpointBehavior(() => accessToken));
  • To impersonate with claims after authenticating, do the following:
    1. Obtain claims from a secured Tridion web app.
      Since your code is running in a web app that is already secured by Access Management, such as the Content Manager Explorer web app, the claims are readily available. You can obtain the claims from the Current Principal, for example, using HttpContext.Current.User.Identity.Claims.
    2. Provide claims to
      To impersonate a user with the claims obtained from Access Management, call the ImpersonateWithClaims method. These claims are typically mapped in Content Manager to user groups, which in turn resolve to a set of user rights and permissions.