I'm trying to implement auto-linking for a custom authentication process. Any advice someone can give me on how to get this working would be greatly appreciated.

The intent is for a workflow that takes the member, sends them to a third party url for logging in, comes back with a token, calls back to the third-party to vet that token and get a Member info, then log into Umbraco with that Member. However, that isn't happening. Here's the process I wrote up for this:

1. A visitor comes in to the website, and hits a publicly accessible page (like the homepage).
2. Visitor clicks a login button that links to /auth/signin, a url handled by the AuthenticationController
3. This should trigger a challenge.
4. CustomRemoteAuthenticationHandler.HandleChallengeAsync redirects the visitor to a third party site, where they are guided through a login or account creation process.
5. When that process completes, the third party site redirects the visitor to /auth/signinverify?token={key}
6. /auth/signinverify?token={key} should trigger CustomRemoteAuthenticationHanderl.HandleRemoteAuthenticateAsync(), which takes that token, and verifies the authentication against the third party (in my particular case, I'll be sending a SOAP request to the third party with that key token, and getting a response object letting me know it succeeded). In the case of this test, though, I just skip that and pretend they were authenticated as a given email.
7. If it succeeded, create the Principal, Claims, and AuthenticationTicket for the user.
8. With these items in place, I expected Umbraco's Auto-Linking to take over, and find a Member in Umbraco matching on the Email address (or, failing that, create a Member.)
9. I think Auto Linking just matches on Email and gives / creates a Member, so I would then use the Auto Linking OnAutoLinking event in CustomRemoteMemberExternalLoginProviderOptions to add and verify the Member's information, including roles.
10. Presumably at this point the visitor would be authenticated as a Member - send them to a url that's dependent on the Member, or a fallback url if they don't have a custom URL yet. This logic I believed would be in the 'OnTicketReceived' event in RemoteAuthenticationEvents, specified in the extension class

This is working up through Step 7. The challenge happens, when it comes back it runs the authentication and verifies the visitor's info, and I create the principals. But then we just go straight into OnTicketReceived and load the target page, without hitting Umbraco's Auto Linking logic or creating / matching on an Umbraco Member. As far as I can tell, neither Configure method in CustomRemoteMemberExternalLoginProviderOptions is ever hit.

Here is the code I'm currently at - https://github.com/ChristopherBass/UmbracoThirdPartyAuthTest

SiteUmbraco.ContentModels is just the namespace for the custom WebsiteConfiguration page type - it's just for storing the URLs we go to after the authentication and the sign-out, and the third party SSO URL to challenge against. If you want it to compile on your own Umbraco site you can dummy that stuff out.

Most of my understanding of this came from:

• https://docs.umbraco.com/umbraco-cms/reference/security/external-login-providers
  • Good documentation but stops short of a custom provider
• https://github.com/jbreuer/Umbraco-OpenIdConnect-Example/tree/main
  • Good more full code example, but also just works with OpenIDConnect
• https://apidocs.umbraco.com/v13/csharp/api/Umbraco.Cms.Web.Website.Security.MemberAuthenticationBuilder.html
  • Just the barest documentation but the only info I could actually find on a custom remote authentication process for Members.