Changes to Basic Auth to support external logins#12434
Changes to Basic Auth to support external logins#12434nikolajlauridsen merged 9 commits intov10/devfrom
Conversation
|
This is very weird, but with this branch, I can't link to external login providers, or at least the microsoft one. When I try in the backoffice I get redirected to the Microsoft login correctly, but after I log in I get redirected to an error page:
If I debug and look at the value in the view data it just says: "An error occurred, could not get external login info", not much help there. This error seems to persist until I clear my cookies Looking at the code I'm not sure why this would be though? However this still seems to work fine on the dev branch |
|
Hm.. Maybe some endpoints that needs to be whitelisted? I will investigate |
…uth-support-for-umbraco-cloud # Conflicts: # src/Umbraco.Web.Common/Security/UmbracoSignInManager.cs
|
Just checked again and now I can link to, and use, external login providers- It showed another minor issue though. If you log in with email and password, you'll get redirected back to the page you requested, however, if I log in with an external login provider I'll always get redirected to the backoffice. |
|
Just a quick heads-up that the doc on our.umbraco already contains these changes: |
|
If I may add something to the plate, I don't think this will work if the "backoffice endpoints" are not enabled, which is probably common scenario if you install umbraco in frontend nodes that don't need the backend enabled. |
Thanks, I will talk with the docs team
You are most likely correct, but I guess it depends on the setup (E.g. if you load balance to different domains or just on /umbraco). Do you have suggestions to make it work? I would hate to add one more allow list. But maybe by allowing redirects to absolute paths if this path has origin equal to UmbracoApplicationUrl? |
nikolajlauridsen
left a comment
nikolajlauridsen
left a comment
There was a problem hiding this comment.
Looks good and tests out good for me now 👍
nikolajlauridsen
deleted the
v10/bugfix/basic-auth-support-for-umbraco-cloud
branch
* Fixed issues with basic auth middleware to support Umbraco Cloud usecase * Fix redirects to return url, now allows website urls * Strip potential domain part of returnPath * Fix default value in appsettings schema * Reintroduce check of basic auth enabled. * Fix wrong negation introduced in #12349 * Fixed issues with redirects * Also check external login cookie, while authenticating backoffice
|
@bergmania
So, redirection to the login screen on the backend domain might solve the problem, but the auth cookie normally is issued only on the domain on which it is issued. So we should also change the "validity" of the cookie to both domains, but not sure it's possible. If both are subdomains of the same domain it might enough to allow the cookie to valid on all subdomains. But might cause some security issues. Alternatively, the login endpoint could be "extracted" from the usebackendendpoints and allowed individually. Like it's done for the upgrade and installation endpoints. |
4 participants
Description
Today the basic auth requies login using the user/password in the umbraco DB. This do not work when using external logins like Google, Twitter or even UmbracoId.
This PR introduces new config settings.
Umbraco:CMS:BasicAuth:RedirectToLoginPageUmbraco:CMS:BasicAuth:SharedSecret:HeaderNameX-Authentication-Shared-SecretUmbraco:CMS:BasicAuth:SharedSecret:ValueUmbraco:CMS:BasicAuth:SharedSecret:HeaderNamethat has to be equal to bypass.Test
Umbraco:CMS:BasicAuth:RedirectToLoginPagesetting works and redirects to the login page, and when logging in, redirects to the original requested page.Behavioral Breaking Changes
returnPathwhen redirected to the login page now includes the entire path and not just the path inside the backoffice SPA