Members: Add lightweight external-only members (closes #12741)

[AndyButland]

Description

This PR adds support for lightweight external members — members that authenticate via external providers (Auth0, Azure AD, Google, Okta, etc.) and are stored as lightweight identity records in a new umbracoExternalMember table, bypassing the content system.

Discussion: #12741

Why this is useful?

Umbraco members are content. This is great for flexibility, as it allows members to be modelled in the same way as documents and media, with all property editors are available. However it's not the most performant - with each entity stored across 5-6 database tables - and where high levels of concurrency of registrations are important, may not be the best approach to take.

That in itself is OK. When you outgrow "Umbraco members" you could use a dedicated external provider. However today this doesn't really help with the performance concern, as it's still necessary it have a member created in Umbraco as well.

Again, this can be useful. You may want to augment an external member record with additional data that you manage within Umbraco.

But the performance concern remains. Although login has been optimised to not require a full update of the content, there's not much that can be improved with this model for registrations, as a member record, based on content, needs to be created.

As such, when an external provider like Auth0 is the source of truth for member identity and profile data, this content footprint adds little value, and limits the scale the solution can support.

Why lightweight storage, not zero storage?

I've considered a fully virtual approach where external members exist only in the authentication cookie with no Umbraco database record at all - as that might seem to be the ideal here. This could work for the website front-end, as claims in the cookie provide could provide name, email, roles, etc.), but breaks down for:

• Security stamp validation: ASP.NET Identity's SecurityStampValidator runs periodically and calls UserManager.GetSecurityStampAsync() against the user store. Without a stored record, the store has nothing to return. Without this there's no way to force sign-out of a compromised session, lock out a member, or revoke access from the Umbraco side. The member stays logged in until their cookie expires.
• Persistent identity: Without a stored mapping, every login is treated as first-time registration. The system cannot distinguish "returning member" from "new member".
• Backoffice visibility: External members would be invisible in the member list, search, member picker, and audit trail. Showing them would require a specific implementation to query each provider's management API, and would give access to all potential members, not just the ones that have accounts with Umbraco.
• Examine search: No local record means no index entry. The member picker, backoffice search and member section would be empty.
• Audit trail: No stable identifier to record operations against.

For this reason I've gone for lightweight table (umbracoExternalMember) that stores one row per member with identity fields and a security stamp. The umbracoExternalMember2MemberGroup table stores group memberships. Together they provide everything the backoffice, public access, Examine, audit, and multi-server scenarios need — with none of the content system overhead (no node tree, no versioning, no property data etc.).

Profile data

As well as the expected fields for a user - name, email etc. - which are specific fields in umbracoExternalMember, I've also added support for additional data. This is all managed at the third party.

External members store will store this arbitrary provider data in a profileData JSON column on the umbracoExternalMember table. Developers populate this from external claims in the OnAutoLinking and OnExternalLogin callbacks — typically by serializing a POCO with JsonSerializer.Serialize. The JSON structure is entirely developer-controlled; Umbraco does not validate or enforce a schema.

Profile data is surfaced in two ways. In code, MemberIdentityUser.GetProfileData<T>() deserializes the JSON to a strongly-typed object. In templates, AsPublishedMember() returns a PublishedExternalMember that exposes each top-level JSON key as an IPublishedProperty, so @Model.Member.Value("department") works identically for both content and external members. Profile data fields are also indexed in Examine, making them searchable in the backoffice and via the member picker.

Where is the performance gain?

Database write cost per registration

Content member (before): Each external login creates or updates a full content entity. This involves writes across 5-6 tables (umbracoNode, cmsContent, cmsContentVersion, cmsMember, cmsPropertyData, cmsMember2MemberGroup), content version creation, distributed cache invalidation, and a full Examine re-index of the content entity with all its properties.

External-only member (after): A single UPDATE statement on one row in umbracoExternalMember. No content versioning, no node tree operations, no property data writes. The Examine re-index covers only identity fields and profile data — not an entire content entity with property editors and value converters.

Database read cost per login

Content member: FindByLoginAsync resolves the member by querying umbracoExternalLogin, then loads the full IMember content entity via IMemberService.GetById() — which joins across umbracoNode, cmsContent, cmsMember, and cmsPropertyData. The ASP.NET Identity security stamp validation repeats this lookup periodically.

External-only member: FindByLoginAsync resolves the member by querying umbracoExternalLogin, then falls back to a single-table query on umbracoExternalMember by Guid key. No joins across content tables.

Storage footprint

A content member occupies rows in umbracoNode, cmsContent, cmsContentVersion (one per save — grows over time), cmsMember, cmsPropertyData (one row per property per version), and cmsMember2MemberGroup. For a member type with 5 properties saved 10 times, that is approximately 60+ rows across 6 tables.

An external-only member occupies exactly 1 row in umbracoExternalMember plus 1 row per group in umbracoExternalMember2MemberGroup. No versioning, no growth over time.

Cache and notification overhead

Content member saves trigger MemberSavedNotification, distributed cache refresher instructions (written to umbracoServerMessengerInstructions), content cache invalidation, and Examine re-indexing of the full property set. In a load-balanced environment, every server processes these instructions.

External member saves trigger ExternalMemberSavedNotification and a lightweight cache refresher instruction. There is no content cache to invalidate. Examine re-indexing covers only identity fields and profile data keys — not property editor value conversion.

What is included?

Core model and service layer

• ExternalMemberIdentity — lightweight POCO with Key, Email, UserName, Name, IsApproved, IsLockedOut, dates, SecurityStamp, and a ProfileData JSON string for arbitrary provider data.
• IsExternalOnly flag on MemberIdentityUser — the routing signal that determines whether operations go through the content pipeline or the lightweight store. Not a new type hierarchy — most consumer APIs already operate on MemberIdentityUser, not IMember.
• IExternalMemberService — full CRUD with the Attempt pattern, role management, and a ConvertToContentMemberAsync method for promoting external members to content members at a service level (i.e. via custom code).
• IMemberFilterService — unified member filtering across both stores via a UNION query at the database level, with shared ordering and pagination.
  • This allows the backoffice to display a paged collection of "content" and "external" members, if that's what a setup requires.
• Cross-store uniqueness — usernames and emails are unique across both stores, enforced in both ExternalMemberService and MemberEditingService.

Notifications, audit, and cache refreshers

• Notification classes — ExternalMemberSaving/Saved/Deleting/Deleted (cancelable where appropriate) and role notifications. Parallel to content member notifications with ExternalMemberIdentity payloads.
• Audit trail — AuditNotificationsHandler extended to write audit entries for external member operations using the same umbraco/member/* event types.
• Distributed cache refresher pipeline — ExternalMemberCacheRefresher with JSON payloads stored in the database instruction table, ensuring Examine indexes sync across all servers in a load-balanced environment.

Identity integration

• MemberUserStore bifurcation — CRUD and find operations route based on IsExternalOnly. External members use their Guid key as the string Id for ASP.NET Identity resolution.
• MemberSignInManager — sets IsExternalOnly = true during auto-link when ExternalOnly option is enabled. Syncs identity fields (name, email) from provider claims on each subsequent login.
• Password reset guard — MemberManager overrides GeneratePasswordResetTokenAsync and ResetPasswordAsync to reject external members.
• AsPublishedMember() support — returns a PublishedExternalMember (lightweight IPublishedMember implementation) instead of null. Profile data JSON keys are exposed as IPublishedProperty instances so @Model.Member.Value("department") works identically for both member types.

Persistence

• umbracoExternalMember and umbracoExternalMember2MemberGroup tables with NPoco repository and migration.

Examine search indexing

• ExternalMemberValueSetBuilder — indexes identity fields plus all top-level keys from profileData JSON into the shared member index.
• ExternalMemberIndexPopulator — pages through all external members on index rebuild.
• MemberValueSetValidator updated — removed the field allowlist so profile data fields pass through to Lucene.

Management API

• Read: ByKeyMemberController falls back to external store. FilterMemberFilterController uses unified IMemberFilterService. ItemMemberItemController resolves external member GUIDs for member picker.
• Write: UpdateMemberController and ValidateUpdateMemberController reject external members with 400. DeleteMemberController routes through MemberEditingService.
• MemberPresentationFactory — new methods for external member response models with Kind = ExternalOnly.

Delivery API

• Token revocation extended for external member lock/delete/role changes.

Member picker

• MemberPickerValueConverter — falls back to IExternalMemberService, returns PublishedExternalMember with profile data as IPublishedProperty instances.
• Picker modal, ref element, collection table — icon-user fallback for external members (given we don't have member types)

Backoffice UI

• Read-only workspace for external members: identity fields visible, content properties/password/2FA hidden, Save button disabled, "External member" banner.
• Member collection table shows kind column and default icon.

Configuration

Opt-in via a single property on the existing auto-link options — set ExternalOnly = true on MemberExternalSignInAutoLinkOptions.

Testing

Automated

Various integration and unit tests verifying the functionality in this PR are provided.

Manual

See sample code provided below to help with manual setup.

Basic login flow:

1. Configure an OpenID Connect provider with ExternalOnly = true.
2. Add a login button that posts to /umbraco/surface/UmbExternalLogin/ExternalLogin with the provider scheme.
3. Complete the login flow. Verify the member appears in the backoffice member list with "External" kind.
4. Log out and back in. Verify name/email changes in the provider are reflected.

Backoffice:

1. Members section: external members appear with "External" kind badge and default user icon.
2. Click an external member: read-only identity fields, "External member" banner, no content properties, disabled Save.
3. Delete an external member: removed cleanly.

Member picker:

1. Add a Member Picker property to a content type.
2. Open the picker: both content and external members appear.
3. Select an external member and save. In a template, access the picked member — profile data accessible via .Value("fieldName").

Examine indexing:

1. After login, check the Examine dashboard Members index.
2. Search for external member by name/email. Profile data fields should appear as indexed fields.
3. Rebuild the member index: external members re-indexed with all fields.

Cross-store uniqueness:

1. Create a content member with email test@example.com.
2. Sign in with an external provider using the same email. Should link or reject depending on config.

Other checks

1. Database: Check SELECT * FROM umbracoExternalMember — one row with identity fields and profileData JSON.
2. Name sync: Change the user's name in Auth0, log in again — the name updates in Umbraco.
3. Role sync: Add/remove a role in Auth0, log in again — the Umbraco member group membership updates.

Known limitations

• Relation tracking: External members can be picked in member picker properties but will not appear in "Referenced by" tracking (the relation system requires umbracoNode entries).
• Public access allowTypes: External members have no member type, so type-based access rules will not match. Use group-based access instead.
• No Management API create endpoint: External members are created only through the auto-link sign-in flow or IExternalMemberService.

Sample code - Testing External-Only Members with Auth0

This guide walks through setting up an Auth0 integration to test the external-only members feature. It covers Auth0 configuration, the Umbraco code needed, and a template to verify everything works.

1. Auth0 Setup

Create an Auth0 Application

1. Sign up at https://auth0.com and create a new tenant.
2. Go to Applications > Applications > Create Application.
3. Choose Regular Web Application and give it a name (e.g. "Umbraco Members").
4. In the application settings, configure:
   • Allowed Callback URLs: https://localhost:44339/umbraco-member-provider-signin
   • Allowed Logout URLs: https://localhost:44339
   • Allowed Web Origins: https://localhost:44339
5. Note the Domain, Client ID, and Client Secret from the application settings.

Create a User

1. Create a user under User Management > Users
2. Add the user to one or more roles.
3. Add some meta-data, e.g.

{
  "favouriteColor": "Pink",
  "homeCity": "Bassano del Grappa"
}

Add Custom Claims

To test profile data and role sync, add a Post Login Action in Auth0:

1. Go to Actions > Flows > Login.
2. Click + to add a custom action.
3. Use this code:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://umbraco.com';
  const roles = event.authorization?.roles || [];
  if (roles.length > 0) {
      api.idToken.setCustomClaim(`${namespace}/roles`, roles);
  } 

  const userMeta = event.user.user_metadata || {};
  if (Object.keys(userMeta).length > 0) {
      api.idToken.setCustomClaim(`${namespace}/user_metadata`, userMeta);
  }   
};

4. Deploy the action and drag it into the Login flow.

2. Umbraco Code

You need four files. Place them in a folder such as Custom/ExternalMemberLoginProvider/ in your web project.

Auth0MemberProfile.cs

A simple POCO to represent the profile data stored in the `profileData` JSON column.

namespace YourProject.ExternalMemberLoginProvider;

public class Auth0MemberProfile
{
    public string? FavouriteColor { get; set; }
    public string? HomeCity { get; set; }
}

MemberProviderComposer.cs

Registers the Auth0 scheme as a member external login provider.

using Umbraco.Cms.Core.Composing;

namespace YourProject.ExternalMemberLoginProvider;

public class MemberProviderComposer : IComposer
{
    public void Compose(IUmbracoBuilder builder)
    {
        builder.Services.ConfigureOptions<MemberAuth0ProviderOptions>();
        builder.Services.ConfigureOptions<MemberAuth0LoginOptions>();
        builder.AddMemberExternalLogins(logins =>
        {
            logins.AddMemberLogin(memberAuthBuilder =>
            {
                memberAuthBuilder.AddOpenIdConnect(
                    memberAuthBuilder.SchemeForMembers(MemberAuth0ProviderOptions.SchemeName),
                    MemberAuth0ProviderOptions.SchemeName,
                    _ => { });
            });
        });
    }
}

MemberAuth0LoginOptions.cs

Configures the OpenID Connect protocol options for Auth0. Replace the Authority, ClientId, and ClientSecret with your Auth0 application values.

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Umbraco.Cms.Core;

namespace YourProject.ExternalMemberLoginProvider;

public class MemberAuth0LoginOptions : IConfigureNamedOptions<OpenIdConnectOptions>
{
    public void Configure(string? name, OpenIdConnectOptions options)
    {
        if (name == Constants.Security.MemberExternalAuthenticationTypePrefix
            + MemberAuth0ProviderOptions.SchemeName)
        {
            Configure(options);
        }
    }

    public void Configure(OpenIdConnectOptions options)
    {
        options.Authority = "https://YOUR_DOMAIN.us.auth0.com";
        options.CallbackPath = "/umbraco-member-provider-signin";
        options.ClientId = "YOUR_CLIENT_ID";
        options.ClientSecret = "YOUR_CLIENT_SECRET";
        options.ResponseType = OpenIdConnectResponseType.Code;
        options.GetClaimsFromUserInfoEndpoint = true;
        options.TokenValidationParameters.NameClaimType = "name";
        options.Scope.Add("email");
        options.Scope.Add("openid");
        options.Scope.Add("profile");
        options.SaveTokens = true;

        // Required: MapAll() removes the default claim filter so that
        // custom namespaced claims from Auth0 Post Login Actions are
        // mapped to the ClaimsPrincipal.
        options.ClaimActions.MapAll();
    }
}

MemberAuth0ProviderOptions.cs

Configures the auto-link behaviour.

ExternalOnly = true is the key setting — it creates lightweight members instead of content members. The callbacks show how to populate profile data from provider claims and map provider roles to Umbraco member groups.

using System.Text.Json;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
using Umbraco.Cms.Core.Security;
using Umbraco.Cms.Core.Services;
using Umbraco.Cms.Web.Common.Security;

namespace YourProject.ExternalMemberLoginProvider;

public class MemberAuth0ProviderOptions : IConfigureNamedOptions<MemberExternalLoginProviderOptions>
{
    public const string SchemeName = "Auth0";

    private readonly IServiceProvider _serviceProvider;

    public MemberAuth0ProviderOptions(IServiceProvider serviceProvider)
        => _serviceProvider = serviceProvider;

    public void Configure(string? name, MemberExternalLoginProviderOptions options)
    {
        if (name != Cms.Core.Constants.Security.MemberExternalAuthenticationTypePrefix + SchemeName)
            return;
        Configure(options);
    }

    public void Configure(MemberExternalLoginProviderOptions options)
    {
        options.AutoLinkOptions = new MemberExternalSignInAutoLinkOptions(
            autoLinkExternalAccount: true,
            defaultIsApproved: true,
            defaultMemberTypeAlias: Cms.Core.Constants.Conventions.MemberTypes.DefaultAlias,
            defaultMemberGroups: new[] { "ExternalMembers" })
        {
            // Creates lightweight external members instead of full content members.
            ExternalOnly = true,

            // Called once on first login (member creation).
            // Use this to store profile data and assign initial groups from provider roles.
            OnAutoLinking = (user, loginInfo) =>
            {
                user.ProfileData = BuildProfileDataJson(loginInfo);

                // Map provider roles to Umbraco member groups on first login.
                foreach (var role in GetRoles(loginInfo))
                {
                    user.AddRole(role);
                }
            },

            // Called on every subsequent login. Return false to deny access.
            // Use this to keep profile data and groups in sync with the provider.
            OnExternalLogin = (user, loginInfo) =>
            {
                user.ProfileData = BuildProfileDataJson(loginInfo);
                SyncRoles(user, loginInfo);
                return true;
            },
        };
    }

    /// <summary>
    ///     Builds a JSON string from provider claims to store in ProfileData.
    ///     Adjust the claim types and property names to match your provider.
    /// </summary>
    private static Auth0MemberProfile? BuildProfileData(Microsoft.AspNetCore.Identity.ExternalLoginInfo loginInfo)
    {
        // The Auth0 user_metadata claim is itself a JSON document whose shape mirrors Auth0MemberProfile.
        var metadataClaim = loginInfo.Principal?.FindFirst(Auth0UserMetadataClaimType)?.Value;
        if (string.IsNullOrEmpty(metadataClaim))
        {
            return null;
        }

        try
        {
            return JsonSerializer.Deserialize<Auth0MemberProfile>(
                metadataClaim,
                new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
        }
        catch
        {
            return null;
        }
    }

    /// <summary>
    ///     Extracts role names from provider claims.
    ///     Auth0 sends roles as a JSON array in a custom claim.
    /// </summary>
    private static string[] GetRoles(
        Microsoft.AspNetCore.Identity.ExternalLoginInfo loginInfo)
    {
        var roleClaim = loginInfo.Principal?.FindFirst("https://umbraco.com/roles")?.Value;
        if (string.IsNullOrEmpty(roleClaim))
            return [];

        try
        {
            return JsonSerializer.Deserialize<string[]>(roleClaim) ?? [];
        }
        catch
        {
            return [roleClaim]; // Single role value, not a JSON array.
        }
    }

    /// <summary>
    ///     Syncs provider roles to Umbraco member groups on subsequent logins.
    ///     Adds groups the provider has that Umbraco doesn't, and removes stale ones.
    /// </summary>
    private void SyncRoles(
        MemberIdentityUser user,
        Microsoft.AspNetCore.Identity.ExternalLoginInfo loginInfo)
    {
        var externalMemberService = _serviceProvider.GetRequiredService<IExternalMemberService>();

        var desiredGroups = GetRoles(loginInfo).ToHashSet(StringComparer.OrdinalIgnoreCase);
        var currentGroups = externalMemberService.GetRolesAsync(user.Key)
            .GetAwaiter().GetResult()
            .ToHashSet(StringComparer.OrdinalIgnoreCase);

        var toAdd = desiredGroups.Except(currentGroups, StringComparer.OrdinalIgnoreCase).ToArray();
        if (toAdd.Length > 0)
        {
            externalMemberService.AssignRolesAsync(user.Key, toAdd).GetAwaiter().GetResult();
        }

        // Remove groups no longer in the provider, but keep the default group.
        var toRemove = currentGroups.Except(desiredGroups, StringComparer.OrdinalIgnoreCase)
            .Where(g => !g.Equals("ExternalMembers", StringComparison.OrdinalIgnoreCase))
            .ToArray();
        if (toRemove.Length > 0)
        {
            externalMemberService.RemoveRolesAsync(user.Key, toRemove).GetAwaiter().GetResult();
        }
    }
}

3. Template Code

Add the following to a Razor view to test the full feature set.

Includes testing for login/logout, identity fields, profile data (via both GetProfileData<T> and AsPublishedMember().Value()), role listing, external login listing, and member picker resolution.

Note: The provider value in the hidden input must be "UmbracoMembers.Auth0" — this is the scheme name prefixed with Constants.Security.MemberExternalAuthenticationTypePrefix (value: "UmbracoMembers.").

@using Umbraco.Cms.Core.Security
@using Umbraco.Cms.Web.Website.Controllers
@inject IMemberManager MemberManager

<h3>External Member Login (Auth0)</h3>

@if (MemberManager.IsLoggedIn())
{
    var currentMember = await MemberManager.GetCurrentMemberAsync();
    if (currentMember is not null)
    {
        <h4>Logged in as member</h4>
        <table>
            <tr><td><strong>Name:</strong></td><td>@currentMember.Name</td></tr>
            <tr><td><strong>Email:</strong></td><td>@currentMember.Email</td></tr>
            <tr><td><strong>Username:</strong></td><td>@currentMember.UserName</td></tr>
            <tr><td><strong>Key:</strong></td><td>@currentMember.Key</td></tr>
            <tr><td><strong>IsExternalOnly:</strong></td><td>@currentMember.IsExternalOnly</td></tr>
            <tr><td><strong>IsApproved:</strong></td><td>@currentMember.IsApproved</td></tr>
            <tr><td><strong>IsLockedOut:</strong></td><td>@currentMember.IsLockedOut</td></tr>
            <tr><td><strong>LastLoginDate:</strong></td><td>@currentMember.LastLoginDate</td></tr>
            <tr><td><strong>SecurityStamp:</strong></td><td><code>@currentMember.SecurityStamp</code></td></tr>
        </table>

        @* Profile data via strongly-typed GetProfileData<T> *@
        @{
            var profile = currentMember.GetProfileData<YourProject
                .ExternalMemberLoginProvider.Auth0MemberProfile>(
                new System.Text.Json.JsonSerializerOptions
                    { PropertyNameCaseInsensitive = true });
            if (profile is not null)
            {
                <p><strong>Favourite Color:</strong> @(profile.FavouriteColor ?? "(not set)")</p>
                <p><strong>Home City:</strong> @(profile.HomeCity ?? "(not set)")</p>
            }
            else
            {
                <p><strong>ProfileData:</strong> <em>(none)</em></p>
            }
        }

        <hr />
        <h4>AsPublishedMember</h4>
        @* Profile data is also accessible via AsPublishedMember().Value() — same
           API as content members, so templates work for both member types. *@
        @{
            IPublishedContent? publishedMember = MemberManager.AsPublishedMember(currentMember);
            if (publishedMember is not null)
            {
                <p>Published member: @publishedMember.Name
                    (ContentType: @publishedMember.ContentType.Alias)</p>
                <p>Favourite Color via Value(): @publishedMember.Value("favouriteColor")</p>
                <p>Home City via Value(): @publishedMember.Value("homeCity")</p>
            }
            else
            {
                <p><em>null — no published content representation found.</em></p>
            }
        }

        <hr />
        <h4>Roles</h4>
        @{
            var roles = await MemberManager.GetRolesAsync(currentMember);
            if (roles.Any())
            {
                <ul>
                    @foreach (var role in roles)
                    {
                        <li>@role</li>
                    }
                </ul>
            }
            else
            {
                <p><em>No roles assigned.</em></p>
            }
        }

        <hr />
        <h4>External Logins</h4>
        @{
            var logins = await MemberManager.GetLoginsAsync(currentMember);
            if (logins.Any())
            {
                <ul>
                    @foreach (var login in logins)
                    {
                        <li>@login.LoginProvider — @login.ProviderKey</li>
                    }
                </ul>
            }
            else
            {
                <p><em>No external logins linked.</em></p>
            }
        }

        <hr />
        @using (Html.BeginUmbracoForm<UmbLoginStatusController>(
            nameof(UmbLoginStatusController.HandleLogout)))
        {
            <button type="submit">Logout</button>
        }
    }
}
else
{
    <h4>No member logged in</h4>
    <p>Sign in with Auth0 to create/link an external-only member:</p>
    @using (Html.BeginUmbracoForm<UmbExternalLoginController>(
        nameof(UmbExternalLoginController.ExternalLogin)))
    {
        <input type="hidden" name="provider" value="UmbracoMembers.Auth0" />
        <input type="hidden" name="returnUrl" value="@Context.Request.Path" />
        <button type="submit">Sign in with Auth0</button>
    }
}

@* Member picker test — if your content type has a Member Picker property called "member" *@
@if (Model.HasValue("member"))
{
    <hr />
    <h4>Picked Member (via Member Picker)</h4>
    @{
        var pickedMember = Model.Value<IPublishedContent>("member");
        if (pickedMember is not null)
        {
            <p>Name: @pickedMember.Name (Type: @pickedMember.GetType().Name)</p>
            <p>Favourite Color: @pickedMember.Value("favouriteColor")</p>
            <p>Home City: @pickedMember.Value("homeCity")</p>
        }
    }
}

[Copilot]

Pull request overview

Adds support for external-only members (externally authenticated, identity-only records) across Umbraco’s persistence, services, indexing, Management API, and Backoffice UI—introducing a lightweight external member store while keeping existing content-backed members unchanged.

Changes:

• Introduces new external member persistence model (umbracoExternalMember + group mapping table), repositories/services, and migrations.
• Extends member querying/filtering, member picker resolution, Examine indexing, distributed cache refresh, and audit/token revocation flows to include external-only members.
• Updates backoffice member UI/workspace behavior and localization to present external-only members as read-only with appropriate UX.

Reviewed changes

Copilot reviewed 89 out of 89 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
tests/Umbraco.Tests.UnitTests/Umbraco.Web.Website/Models/ProfileModelBuilderTests.cs	Unit tests for profile model building for content vs external-only members.
tests/Umbraco.Tests.UnitTests/Umbraco.Infrastructure/Security/MemberManagerTests.cs	Unit tests for password reset restrictions on external-only members.
tests/Umbraco.Tests.UnitTests/Umbraco.Infrastructure/Security/MemberIdentityUserTests.cs	Unit tests for ProfileData JSON deserialization helper.
tests/Umbraco.Tests.UnitTests/Umbraco.Core/Handlers/AuditNotificationsHandlerMemberTests.cs	Unit tests for audit entries for content + external member events.
tests/Umbraco.Tests.Integration/Umbraco.Infrastructure/Services/MemberFilterServiceTests.cs	Integration tests for unified filtering across both member stores.
tests/Umbraco.Tests.Integration/Umbraco.Infrastructure/Services/MemberEditingServiceTests.cs	Integration tests for external member detection/retrieval/deletion routing.
tests/Umbraco.Tests.Integration/Umbraco.Infrastructure/Services/ExternalMemberServiceTests.cs	Integration tests for external member CRUD, roles, uniqueness, and conversion.
tests/Umbraco.Tests.Common/Builders/ExternalMemberIdentityBuilder.cs	Test builder for ExternalMemberIdentity.
src/Umbraco.Web.Website/Models/ProfileModelBuilder.cs	Skips content-property lookup for external-only members.
src/Umbraco.Web.UI.Client/src/packages/members/member/workspace/member/views/member/member-workspace-view-member.element.ts	Read-only UX, banner, and field behavior for external-only members.
src/Umbraco.Web.UI.Client/src/packages/members/member/workspace/member/views/member/member-workspace-view-member-info.element.ts	Hides content-only info (member type/last edited) and shows External kind label.
src/Umbraco.Web.UI.Client/src/packages/members/member/workspace/member/member-workspace.context.ts	Avoids content type loading and blocks submit for external-only members.
src/Umbraco.Web.UI.Client/src/packages/members/member/workspace/member/member-workspace-split-view.element.ts	Hides workspace footer for external-only members.
src/Umbraco.Web.UI.Client/src/packages/members/member/workspace/member/member-workspace-editor.element.ts	Handles routing/variants behavior for external-only members.
src/Umbraco.Web.UI.Client/src/packages/members/member/utils/index.ts	Adds ExternalOnly to member kind client-side type.
src/Umbraco.Web.UI.Client/src/packages/members/member/item/member-item-ref.element.ts	Falls back to icon-user when member type icon is missing.
src/Umbraco.Web.UI.Client/src/packages/members/member/components/member-picker-modal/member-picker-modal.element.ts	Falls back to icon-user when member type icon is missing.
src/Umbraco.Web.UI.Client/src/packages/members/member/collection/views/table/member-table-collection-view.element.ts	Shows “kind” for external-only and falls back icon for missing member type icon.
src/Umbraco.Web.UI.Client/src/packages/core/backend-api/types.gen.ts	Regenerated backend API types (includes MemberKind enum update + other schema types).
src/Umbraco.Web.UI.Client/src/assets/lang/en.ts	Adds localization strings for external-only member UX.
src/Umbraco.Web.Common/Security/MemberSignInManager.cs	Sets IsExternalOnly during auto-link and syncs identity fields from claims on login.
src/Umbraco.Web.Common/Security/MemberManager.cs	Blocks password reset token generation and password reset for external-only members.
src/Umbraco.Web.Common/Security/MemberExternalSignInAutoLinkOptions.cs	Adds ExternalOnly option flag for auto-link configuration.
src/Umbraco.Web.Common/DependencyInjection/UmbracoBuilder.MembersIdentity.cs	Extends MemberUserStore DI construction to include IExternalMemberService.
src/Umbraco.Infrastructure/Services/MemberEditingService.cs	Cross-store uniqueness validation; delete routing and external-member helper methods.
src/Umbraco.Infrastructure/Services/Implement/MemberFilterService.cs	New service wrapper around repository-based unified filtering.
src/Umbraco.Infrastructure/Services/Implement/ExternalMemberService.cs	New external member CRUD/roles/conversion service and notifications.
src/Umbraco.Infrastructure/Security/MemberIdentityUser.cs	Adds IsExternalOnly, ProfileData, and GetProfileData<T>().
src/Umbraco.Infrastructure/Security/IdentityMapDefinition.cs	Excludes external-only routing fields from map-all member mapping.
src/Umbraco.Infrastructure/Search/ExternalMemberIndexingNotificationHandler.cs	Index updates driven by external member cache refresher notifications.
src/Umbraco.Infrastructure/Persistence/Repositories/Implement/MemberFilterRepository.cs	New UNION-based repository to filter/paginate across both stores.
src/Umbraco.Infrastructure/Persistence/Repositories/Implement/ExternalMemberRepository.cs	New repository for external member persistence and role mappings.
src/Umbraco.Infrastructure/Persistence/Repositories/Implement/ExternalLoginRepository.cs	Ensures external login tokens are deleted before deleting logins.
src/Umbraco.Infrastructure/Persistence/Dtos/ExternalMemberDto.cs	NPoco DTO defining the external member table schema.
src/Umbraco.Infrastructure/Persistence/Dtos/ExternalMember2MemberGroupDto.cs	NPoco DTO for external member ↔ group mapping.
src/Umbraco.Infrastructure/Migrations/Upgrade/V_17_4_0/AddExternalMemberTables.cs	Upgrade migration creating the new external member tables.
src/Umbraco.Infrastructure/Migrations/Upgrade/UmbracoPlan.cs	Wires the new migration into the upgrade plan.
src/Umbraco.Infrastructure/Migrations/Install/DatabaseSchemaCreator.cs	Adds new tables to fresh-install schema creation.
src/Umbraco.Infrastructure/Examine/MemberValueSetValidator.cs	Adjusts member value set validation to allow profile data fields.
src/Umbraco.Infrastructure/Examine/ExternalMemberValueSetBuilder.cs	Builds Examine value sets from external identity + top-level profileData keys.
src/Umbraco.Infrastructure/Examine/ExternalMemberIndexPopulator.cs	Populates member indexes with external members on rebuild.
src/Umbraco.Infrastructure/DependencyInjection/UmbracoBuilder.Services.cs	Registers new external member services and filter service.
src/Umbraco.Infrastructure/DependencyInjection/UmbracoBuilder.Repositories.cs	Registers new external member and filter repositories.
src/Umbraco.Infrastructure/DependencyInjection/UmbracoBuilder.Examine.cs	Registers populator, value set builder, and notification handler for external members.
src/Umbraco.Infrastructure/DependencyInjection/UmbracoBuilder.CoreServices.cs	Hooks external member notifications into distributed cache and audit handlers.
src/Umbraco.Core/Services/OperationStatus/ExternalMemberOperationStatus.cs	New operation status enum for external member operations.
src/Umbraco.Core/Services/IMemberFilterService.cs	New public service interface for unified member filtering.
src/Umbraco.Core/Services/IMemberEditingService.cs	Adds default interface methods for external member lookup helpers.
src/Umbraco.Core/Services/IExternalMemberService.cs	New public service interface for external-only members.
src/Umbraco.Core/Security/PublishedExternalMember.cs	Lightweight IPublishedMember for external-only members w/ profileData properties.
src/Umbraco.Core/Security/ExternalMemberIdentity.cs	New lightweight identity model for external-only members.
src/Umbraco.Core/PropertyEditors/ValueConverters/MemberPickerValueConverter.cs	Member picker resolves external members by GUID key, returning PublishedExternalMember.
src/Umbraco.Core/Persistence/Repositories/IMemberFilterRepository.cs	New repository abstraction for combined filtering queries.
src/Umbraco.Core/Persistence/Repositories/IExternalMemberRepository.cs	New repository abstraction for external-only member persistence.
src/Umbraco.Core/Persistence/Constants-DatabaseSchema.cs	Adds table name constants for external member tables.
src/Umbraco.Core/Notifications/AssignedExternalMemberRolesNotification.cs	Notification for external member role assignment.
src/Umbraco.Core/Notifications/RemovedExternalMemberRolesNotification.cs	Notification for external member role removal.
src/Umbraco.Core/Notifications/ExternalMemberRolesNotification.cs	Base notification type for external member role change events.
src/Umbraco.Core/Notifications/ExternalMemberSavingNotification.cs	Cancelable notification before save.
src/Umbraco.Core/Notifications/ExternalMemberSavedNotification.cs	Notification after save.
src/Umbraco.Core/Notifications/ExternalMemberDeletingNotification.cs	Cancelable notification before delete.
src/Umbraco.Core/Notifications/ExternalMemberDeletedNotification.cs	Notification after delete.
src/Umbraco.Core/Notifications/ExternalMemberCacheRefresherNotification.cs	Cache refresher notification type for external members.
src/Umbraco.Core/Models/Membership/MemberKind.cs	Adds ExternalOnly kind to core enum.
src/Umbraco.Core/Models/Membership/MemberFilterItem.cs	New model representing unified filter results (content + external).
src/Umbraco.Core/Handlers/AuditNotificationsHandler.cs	Writes audit entries for external member save/delete/roles using existing event types.
src/Umbraco.Core/Cache/Refreshers/Implement/ExternalMemberCacheRefresher.cs	New payload cache refresher for external members (index sync across servers).
src/Umbraco.Core/Cache/NotificationHandlers/Implement/ExternalMemberSavedDistributedCacheNotificationHandler.cs	Triggers distributed cache refresh payload for saved external members.
src/Umbraco.Core/Cache/NotificationHandlers/Implement/ExternalMemberDeletedDistributedCacheNotificationHandler.cs	Triggers distributed cache removal payload for deleted external members.
src/Umbraco.Core/Cache/DistributedCacheExtensions.cs	Adds RefreshExternalMemberCache / RemoveExternalMemberCache extensions.
src/Umbraco.Cms.Api.Management/Factories/MemberPresentationFactory.cs	Adds external/filter item response model creation for Management API.
src/Umbraco.Cms.Api.Management/Factories/IMemberPresentationFactory.cs	Adds default interface methods for external/filter response models.
src/Umbraco.Cms.Api.Management/Controllers/Member/ValidateUpdateMemberController.cs	Rejects update validation for external-only members.
src/Umbraco.Cms.Api.Management/Controllers/Member/UpdateMemberController.cs	Rejects update for external-only members.
src/Umbraco.Cms.Api.Management/Controllers/Member/References/ReferencedByMemberController.cs	Falls back to key-based references lookup for external-only members.
src/Umbraco.Cms.Api.Management/Controllers/Member/MemberControllerBase.cs	Adds shared 400 response helper for “external member cannot be modified”.
src/Umbraco.Cms.Api.Management/Controllers/Member/Item/ItemMemberItemController.cs	Member picker “items by id” resolves external members for unresolved GUIDs.
src/Umbraco.Cms.Api.Management/Controllers/Member/Filter/FilterMemberFilterController.cs	Uses unified filter service and maps results to response models.
src/Umbraco.Cms.Api.Management/Controllers/Member/DeleteMemberController.cs	Minor constructor formatting; delete routes through updated editing service.
src/Umbraco.Cms.Api.Management/Controllers/Member/ByKeyMemberController.cs	Falls back to external store when content member not found.
src/Umbraco.Cms.Api.Delivery/Handlers/RevokeMemberAuthenticationTokensNotificationHandler.cs	Extends token revocation to external member save/delete/role changes.
src/Umbraco.Cms.Api.Delivery/DependencyInjection/UmbracoBuilderExtensions.cs	Wires external member revocation handlers into Delivery API DI.
research-memory-leaks.md	Adds internal research documentation (non-product).
research-load-balanced-distributed-jobs.md	Adds internal research documentation (non-product).

---

You can also share your feedback on Copilot code review. Take the survey.