I'm working on a Umbraco 10 project and I followed this article below to implement authenticating the Umbraco backoffice with Azure Active Directory credentials.
But when i sign in with microsoft account, i got an empty page like below
It seems that the authenticating account process succeeded on Azure side but after that the account didn't have appropriate permissions to get data in Umbraco CMS so i think AutoLinking function not working.
I tried 'Link To Microsoft Account Manually' function and i can see it worked well.
Anyone know what is the reason ?
Below is my implementation in detail:
BackofficeAuthenticationExtensions.cs
public static class BackofficeAuthenticationExtensions
{
public static IUmbracoBuilder ConfigureAuthentication(this IUmbracoBuilder builder)
{
// Register OpenIdConnectBackOfficeExternalLoginProviderOptions here rather than require it in startup
builder.Services.ConfigureOptions<AzureBackOfficeExternalLoginProviderOptions>();
builder.AddBackOfficeExternalLogins(logins =>
{
const string schema = MicrosoftAccountDefaults.AuthenticationScheme;
logins.AddBackOfficeLogin(
backOfficeAuthenticationBuilder =>
{
backOfficeAuthenticationBuilder.AddMicrosoftAccount(
// the scheme must be set with this method to work for the back office
backOfficeAuthenticationBuilder.SchemeForBackOffice(schema) ?? string.Empty,
options =>
{
//By default this is '/signin-microsoft' but it needs to be changed to this
options.CallbackPath = "/signin-microsoft";
//Obtained from the AZURE AD B2C WEB APP
options.ClientId = AppSettings.ClientId;
//Obtained from the AZURE AD B2C WEB APP
options.ClientSecret = AppSettings.ClientSecret;
options.TokenEndpoint = $"https://login.microsoftonline.com/{AppSettings.TenantId}/oauth2/v2.0/token";
options.AuthorizationEndpoint = $"https://login.microsoftonline.com/{AppSettings.TenantId}/oauth2/v2.0/authorize";
});
});
});
return builder;
}
AzureBackOfficeExternalLoginProviderOptions.cs
public class AzureBackOfficeExternalLoginProviderOptions : IConfigureNamedOptions<BackOfficeExternalLoginProviderOptions>
{
public const string SchemeName = MicrosoftAccountDefaults.AuthenticationScheme;
public void Configure(string name, BackOfficeExternalLoginProviderOptions options)
{
if (name != "Umbraco." + SchemeName)
{
return;
}
Configure(options);
}
public void Configure(BackOfficeExternalLoginProviderOptions options)
{
options.ButtonStyle = "btn-danger";
options.Icon = "fa fa-cloud";
options.AutoLinkOptions = new ExternalSignInAutoLinkOptions(
// must be true for auto-linking to be enabled
autoLinkExternalAccount: true,
// Optionally specify default user group, else
// assign in the OnAutoLinking callback
// (default is editor)
defaultUserGroups: new[] { Constants.Security.AdminGroupAlias },
// Optionally specify the default culture to create
// the user as. If null it will use the default
// culture defined in the web.config, or it can
// be dynamically assigned in the OnAutoLinking
// callback.
defaultCulture: null,
// Optionally you can disable the ability to link/unlink
// manually from within the back office. Set this to false
// if you don't want the user to unlink from this external
// provider.
allowManualLinking: false
)
{
// Optional callback
OnAutoLinking = (autoLinkUser, loginInfo) =>
{
// You can customize the user before it's linked.
// i.e. Modify the user's groups based on the Claims returned
// in the externalLogin info
},
OnExternalLogin = (user, loginInfo) =>
{
// You can customize the user before it's saved whenever they have
// logged in with the external provider.
// i.e. Sync the user's name based on the Claims returned
return true; //returns a boolean indicating if sign in should continue or not.
}
};
// Optionally you can disable the ability for users
// to login with a username/password. If this is set
// to true, it will disable username/password login
// even if there are other external login providers installed.
options.DenyLocalLogin = false;
// Optionally choose to automatically redirect to the
// external login provider so the user doesn't have
// to click the login button. This is
options.AutoRedirectLoginToExternalProvider = false;
}
}
You need to create a autoLinkUser in OnAutoLinking method.
Please refer the code below
OnAutoLinking = (autoLinkUser, loginInfo) =>
{
// You can customize the user before it's linked.
// i.e. Modify the user's groups based on the Claims returned
// in the externalLogin info
var claims = loginInfo.Principal.Claims.ToList();
autoLinkUser.Name = claims.FirstOrDefault(p => p.Type.Equals("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"))?.Value;
autoLinkUser.Email = claims.FirstOrDefault(p => p.Type.Equals("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"))?.Value.Replace("#EXT#", string.Empty);
autoLinkUser.UserName = claims.FirstOrDefault(p => p.Type.Equals("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"))?.Value.Replace("#EXT#", string.Empty);
autoLinkUser.IsApproved = true;
}
Try it and let me know if your issue can be solved.
Linking External Login Accounts Not Working
Hi everyone,
I'm working on a Umbraco 10 project and I followed this article below to implement authenticating the Umbraco backoffice with Azure Active Directory credentials.
https://docs.umbraco.com/umbraco-cms/v/10.latest-lts/reference/security/auto-linking
But when i sign in with microsoft account, i got an empty page like below
It seems that the authenticating account process succeeded on Azure side but after that the account didn't have appropriate permissions to get data in Umbraco CMS so i think AutoLinking function not working.
I tried 'Link To Microsoft Account Manually' function and i can see it worked well.
Anyone know what is the reason ?
Below is my implementation in detail:
BackofficeAuthenticationExtensions.cs
AzureBackOfficeExternalLoginProviderOptions.cs
Thanks!
Hey - Did you get this working? I'm getting the same thing when trying to set up Azure AD for external user login.
Hi Lan,
Yes i could make it work.
You need to create a autoLinkUser in OnAutoLinking method.
Please refer the code below
Try it and let me know if your issue can be solved.
is working on a reply...