Sitecore CLI – Non-interactive login fails when having requiresUniqueEmail set to true

With the Sitecore CLI you can choose to login in with a non-interactive login, meaning that you specify a ClientId and ClientSecret, which is then used to log in. Interactive login means that you log in using a username and password, for a pre-existing user.

Today a user on Slack had some issues using the non-interactive login, as he recieved the following error: You are not authorized to perform the task you are attempting. You may need to be assigned additional permissions.

The first step is to check if a user is created within Sitecore. This is easy to see by just opening the User Manager, and to check if there’s a user called something like sitecore\fgRDZiyNCH.

If the user is missing from Sitecore the Sitecore logs could have some more information. In this particular case the following error was logged:

15:38:17 ERROR Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware - Authentication failed
Exception: System.InvalidOperationException
Message: Unable to create a user. Reason: InvalidEmail
Source: Sitecore.Owin.Authentication
   at Sitecore.Owin.Authentication.Identity.MembershipUserStore`1.CreateAsync(TUser user)
   at Microsoft.AspNet.Identity.UserManager`2.<CreateAsync>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Sitecore.Owin.Authentication.Services.DefaultApplicationUserResolver.<ResolveApplicationUserAsync>d__16.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Sitecore.Owin.Authentication.Pipelines.Initialize.BearerAuthenticationBase.<ResolveUser>d__34.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Sitecore.Owin.Authentication.Pipelines.Initialize.BearerAuthenticationBase.<ValidateIdentity>d__31.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.<AuthenticateCoreAsync>d__3.MoveNext()

This error only occurs when you have set requiresUniqueEmail to true, within the SQL Membership provider in your web.config. The Sitecore CLI user is created without an emailaddress, which causes the exception.

    <membership defaultProvider="sitecore" hashAlgorithmType="SHA1">
      <providers>
        <clear />
        <add name="sitecore" type="Sitecore.Security.SitecoreMembershipProvider, Sitecore.Kernel" realProviderName="sql" providerWildcard="%" raiseEvents="true" />
        <add name="sql" type="System.Web.Security.SqlMembershipProvider" connectionStringName="security" applicationName="sitecore" minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" maxInvalidPasswordAttempts="5" />
        <add name="disabled" type="Sitecore.Security.DisabledMembersipProvider, Sitecore.Kernel" applicationName="sitecore" />
        <add name="switcher" type="Sitecore.Security.SwitchingMembershipProvider, Sitecore.Kernel" applicationName="sitecore" mappings="switchingProviders/membership" />
      </providers>
    </membership>

You can make sure that the user is created with a valid emailaddress, by changing the Sitecore.Owin.Authentication.ClientCredentialsMapping.config from step 6 in the documentation. You have to add the emailaddress claim as i did on line 15.
It should look like the following:

<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/" xmlns:set="http://www.sitecore.net/xmlconfig/set/">
  <sitecore role:require="Standalone or ContentDelivery or ContentManagement">
    <federatedAuthentication>
      <identityProviders>
        <identityProvider id="SitecoreIdentityServer" type="Sitecore.Owin.Authentication.IdentityServer.IdentityServerProvider, Sitecore.Owin.Authentication.IdentityServer" resolve="true">
          <transformations hint="list:AddTransformation">
            <transformation name="admin-ify client credentials users" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication">
              <sources hint="raw:AddSource">
                <claim name="client_id" value="SitecoreCLIServer" />
              </sources>
              <targets hint="raw:AddTarget">
                <claim name="name" value="sitecore\superuser" />
                <claim name="http://www.sitecore.net/identity/claims/isAdmin" value="true" />
                <claim name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="your@email.com" />
              </targets>
              <keepSource>true</keepSource>
            </transformation>
          </transformations>
        </identityProvider>
      </identityProviders>
    </federatedAuthentication>
  </sitecore>
</configuration>

Leave a Reply

Your email address will not be published. Required fields are marked *