Headline
CVE-2023-32312: External login providers
UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit flow is not safe. For traditional MVC applications, it is recommended to use the authorization code flow, which requires the client to authenticate with the authorization server using a client secret. This flow provides better security, as it involves exchanging an authorization code for an access token and/or ID token, rather than directly returning tokens in the URL fragment. This issue has been patched in commit e792429f9 and a release to Nuget is pending. Users are advised to upgrade when possible.
using Microsoft.Extensions.Options;
using Umbraco.Cms.Web.BackOffice.Security;
namespace MyUmbracoProject.CustomAuthentication
public class ProviderBackOfficeExternalLoginProviderOptions : IConfigureNamedOptions<BackOfficeExternalLoginProviderOptions>
public const string SchemeName = "OpenIdConnect";
public void Configure(string name, BackOfficeExternalLoginProviderOptions options)
if (name != Constants.Security.BackOfficeExternalAuthenticationTypePrefix + SchemeName)
public void Configure(BackOfficeExternalLoginProviderOptions options)
// Customize the login button
options.ButtonStyle = "btn-danger";
options.Icon = "fa fa-cloud";
// The following options are relevant if you
// want to configure auto-linking on the authentication.
options.AutoLinkOptions = new ExternalSignInAutoLinkOptions(
// Set to true to enable auto-linking
autoLinkExternalAccount: true,
defaultUserGroups: new[] { Constants.Security.EditorGroupAlias },
// Default: The culture specified in appsettings.json.
// Specify the default culture to create the User as.
// It can be dynamically assigned in the OnAutoLinking callback.
// Disable the ability to link/unlink manually from within
// the Umbraco backoffice.
// Set this to false if you don’t want the user to unlink
// from this external provider.
allowManualLinking: false
OnAutoLinking = (autoLinkUser, loginInfo) =>
// Customize the user before it’s linked.
// Modify the User’s groups based on the Claims returned
// in the external ogin info.
OnExternalLogin = (user, loginInfo) =>
// Customize the User before it is saved whenever they have
// logged in with the external provider.
// Sync the Users name based on the Claims returned
// in the external login info
// Returns a boolean indicating if sign-in should continue or not.
// Disable the ability for users to login with a username/password.
// If set to true, it will disable username/password login
// even if there are other external login providers installed.
options.DenyLocalLogin = false;
// Choose to automatically redirect to the external login provider
// effectively removing the login button.
options.AutoRedirectLoginToExternalProvider = false;