From 4537959e7c5c74c6d5f59c3fdfd16f9494ed1439 Mon Sep 17 00:00:00 2001
From: Andy Butland <abutland73@gmail.com>
Date: Mon, 3 Mar 2025 12:44:51 +0100
Subject: [PATCH] Avoids collection was modified issue when flowing identities
 to the authenticated user's principal.

---
 .../Extensions/HttpContextExtensions.cs                   | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs b/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
index fd46ef6903af..cf9022951386 100644
--- a/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
+++ b/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
@@ -68,7 +68,13 @@ public static async Task<AuthenticateResult> AuthenticateBackOfficeAsync(this Ht
             // Otherwise we can't log in as both a member and a backoffice user
             // For instance if you've enabled basic auth.
             ClaimsPrincipal? authenticatedPrincipal = result.Principal;
-            IEnumerable<ClaimsIdentity> existingIdentities = httpContext.User.Identities.Where(x => x.IsAuthenticated && x.AuthenticationType != authenticatedPrincipal.Identity.AuthenticationType);
+
+            // Make sure to copy into a list before attempting to update the authenticated principal, so we don't attempt to modify
+            // the collection while iterating it.
+            // See: https://github.com/umbraco/Umbraco-CMS/issues/18509
+            var existingIdentities = httpContext.User.Identities
+                .Where(x => x.IsAuthenticated && x.AuthenticationType != authenticatedPrincipal.Identity.AuthenticationType)
+                .ToList();
             authenticatedPrincipal.AddIdentities(existingIdentities);
 
             httpContext.User = authenticatedPrincipal;