Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IConfigureNamedOptions<MemberExternalLoginProviderOptions> Configure methods never called to setup autolinking #17027

Closed
r-modica-cti opened this issue Sep 9, 2024 · 5 comments
Closed

IConfigureNamedOptions<MemberExternalLoginProviderOptions> Configure methods never called to setup autolinking #17027

r-modica-cti opened this issue Sep 9, 2024 · 5 comments
Labels
state/needs-more-info We don't have enough information to give a good reply type/bug

Comments

@r-modica-cti
Copy link

r-modica-cti commented Sep 9, 2024
edited
Loading

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

13.3.0

Bug summary

We are unable to get auto linking working with an Azure AD provider as the IConfigureNamedOptions<MemberExternalLoginProviderOptions> Configure is never called to setup auto linking.

The login via the external service is working (as in we are presented with a Microsoft login page which allows us to put in credentials) and we are redirected back to the site, but no member is linked.

Setting breakpoints on either of the Configure methods never get hit.

We don't believe there is an issue with out implementation as we have also copied the implementation from the official documentation (literally copied with no code changes):

https://docs.umbraco.com/umbraco-cms/tutorials/add-microsoft-entra-id-authentication

We have tried different types of provider too, like OIDC but its the same, the MemberExternalLoginProviderOptions are never called.

Options file

public class EntraIDB2CMembersExternalLoginProviderOptions : IConfigureNamedOptions<MemberExternalLoginProviderOptions>
{
    public const string SchemeName = "ActiveDirectoryB2C";

    public void Configure(string? name, MemberExternalLoginProviderOptions options)
    {
        if (name != Constants.Security.MemberExternalAuthenticationTypePrefix + SchemeName)
        {
            return;
        }

        Configure(options);
    }

    public void Configure(MemberExternalLoginProviderOptions options)
    {
        // The following options are relevant if you
        // want to configure auto-linking on the authentication.
        options.AutoLinkOptions = new MemberExternalSignInAutoLinkOptions(

            // Set to true to enable auto-linking
            autoLinkExternalAccount: true,

            // [OPTIONAL]
            // Default: The culture specified in appsettings.json.
            // Specify the default culture to create the Member as.
            // It can be dynamically assigned in the OnAutoLinking callback.
            defaultCulture: null,

            // [OPTIONAL]
            // Specify the default "IsApproved" status.
            // Must be true for auto-linking.
            defaultIsApproved: true,

            // [OPTIONAL]
            // Default: "Member"
            // Specify the Member Type alias.
            defaultMemberTypeAlias: Constants.Security.DefaultMemberTypeAlias

        )
        {
            // [OPTIONAL] Callbacks
            OnAutoLinking = (autoLinkUser, loginInfo) =>
            {
                // Customize the Member before it's linked.
                // Modify the Members groups based on the Claims returned
                // in the external login info.
            },
            OnExternalLogin = (user, loginInfo) =>
            {
                // Customize the Member before it is saved whenever they have
                // logged in with the external provider.
                // Sync the Members name based on the Claims returned
                // in the external login info

                // Returns a boolean indicating if sign-in should continue or not.
                return true;
            }
        };
    }
}

Extension (secrets have been removed):

public static class MemberAuthenticationExtensions
{
    public static IUmbracoBuilder ConfigureAuthenticationMembers(this IUmbracoBuilder builder)
    {
        builder.Services.ConfigureOptions<EntraIDB2CMembersExternalLoginProviderOptions>();
        builder.AddMemberExternalLogins(logins =>
        {
            builder.Services.ConfigureOptions<EntraIDB2CMembersExternalLoginProviderOptions>();
            builder.AddMemberExternalLogins(logins =>
            {
                logins.AddMemberLogin(
                    membersAuthenticationBuilder =>
                    {
                        membersAuthenticationBuilder.AddMicrosoftAccount(

                            // The scheme must be set with this method to work for the external login.
                            membersAuthenticationBuilder.SchemeForMembers(EntraIDB2CMembersExternalLoginProviderOptions.SchemeName),
                            options =>
                            {
                                // Callbackpath: Represents the URL to which the browser should be redirected to.
                                // The default value is /signin-oidc.
                                // This needs to be unique.
                                options.CallbackPath = "/umbraco-microsoft-signin/";

                                //Obtained from the ENTRA ID B2C WEB APP
                                options.ClientId = "CLIENT";
                                //Obtained from the ENTRA ID B2C WEB APP
                                options.ClientSecret = "SECRET";


                                // If you are using single-tenant app registration (e.g. for an intranet site), you must specify the Token Endpoint and Authorization Endpoint:
                                options.TokenEndpoint = $"https://login.microsoftonline.com/TENANT/oauth2/v2.0/token";
                                options.AuthorizationEndpoint = $"https://login.microsoftonline.com/TENANT/oauth2/v2.0/authorize";

                                options.SaveTokens = true;
                            });
                    });
            });
        });
        return builder;
    }
}

Specifics

No response

Steps to reproduce

We are using an Azure AD integration (not B2C) which may require a client to be setup on an Azure AD Tenant.

We have essentially copied this line for line into a project:

https://docs.umbraco.com/umbraco-cms/tutorials/add-microsoft-entra-id-authentication

Expected result / actual result

For the OnAutoLinking and OnExternalLogin to be wired up correctly and the Configure methods of the EntraIDB2CMembersExternalLoginProviderOptions to be run.
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 9, 2024

Hi there @r-modica-cti!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

  • We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
  • If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
  • We'll replicate the issue to ensure that the problem is as described.
  • We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

@NguyenThuyLan
Copy link
Contributor

Hi @r-modica-cti , thank you for reporting the issue. I'm trying to reproduce it, I'll let you know as soon as possible 🚀

@NguyenThuyLan
Copy link
Contributor

Hi again @r-modica-cti , I am using v13.5.0 and unfortunately I cannot reproduce this issue, can you confirm that when you register a web application in Azure AD, you enable ID token implicit grant? like this tutorial https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga

@NguyenThuyLan NguyenThuyLan added the state/needs-more-info We don't have enough information to give a good reply label Sep 20, 2024
@r-modica-cti
Copy link
Author

Hi @NguyenThuyLan,

We have found what the issue was after we put a vanilla install for code review. You would be able to replicate it if you deleted the login page most likely, or created a project which didn't have a login page created.

The site we were building is exclusively external login only, so we did not have a Login page created, becuase, we didn't need one. On the login page there is something that is injected and without that, the Membership options are never hit.

Essentially, we were missing this:

@inject IMemberExternalLoginProviders memberExternalLoginProviders;

Once that was added, we were able to register what we needed too.

@NguyenThuyLan
Copy link
Contributor

It's great that you got the problem and the solution. So I will close this issue here. Thank you very much 😊

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
state/needs-more-info We don't have enough information to give a good reply type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@r-modica-cti @NguyenThuyLan