IConfigureNamedOptions<MemberExternalLoginProviderOptions> Configure methods never called to setup autolinking

[r-modica-cti]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

13.3.0

Bug summary

We are unable to get auto linking working with an Azure AD provider as the IConfigureNamedOptions<MemberExternalLoginProviderOptions> Configure is never called to setup auto linking.

The login via the external service is working (as in we are presented with a Microsoft login page which allows us to put in credentials) and we are redirected back to the site, but no member is linked.

Setting breakpoints on either of the Configure methods never get hit.

We don't believe there is an issue with out implementation as we have also copied the implementation from the official documentation (literally copied with no code changes):

https://docs.umbraco.com/umbraco-cms/tutorials/add-microsoft-entra-id-authentication

We have tried different types of provider too, like OIDC but its the same, the MemberExternalLoginProviderOptions are never called.

Options file

public class EntraIDB2CMembersExternalLoginProviderOptions : IConfigureNamedOptions<MemberExternalLoginProviderOptions>
{
    public const string SchemeName = "ActiveDirectoryB2C";

    public void Configure(string? name, MemberExternalLoginProviderOptions options)
    {
        if (name != Constants.Security.MemberExternalAuthenticationTypePrefix + SchemeName)
        {
            return;
        }

        Configure(options);
    }

    public void Configure(MemberExternalLoginProviderOptions options)
    {
        // The following options are relevant if you
        // want to configure auto-linking on the authentication.
        options.AutoLinkOptions = new MemberExternalSignInAutoLinkOptions(

            // Set to true to enable auto-linking
            autoLinkExternalAccount: true,

            // [OPTIONAL]
            // Default: The culture specified in appsettings.json.
            // Specify the default culture to create the Member as.
            // It can be dynamically assigned in the OnAutoLinking callback.
            defaultCulture: null,

            // [OPTIONAL]
            // Specify the default "IsApproved" status.
            // Must be true for auto-linking.
            defaultIsApproved: true,

            // [OPTIONAL]
            // Default: "Member"
            // Specify the Member Type alias.
            defaultMemberTypeAlias: Constants.Security.DefaultMemberTypeAlias

        )
        {
            // [OPTIONAL] Callbacks
            OnAutoLinking = (autoLinkUser, loginInfo) =>
            {
                // Customize the Member before it's linked.
                // Modify the Members groups based on the Claims returned
                // in the external login info.
            },
            OnExternalLogin = (user, loginInfo) =>
            {
                // Customize the Member before it is saved whenever they have
                // logged in with the external provider.
                // Sync the Members name based on the Claims returned
                // in the external login info

                // Returns a boolean indicating if sign-in should continue or not.
                return true;
            }
        };
    }
}

Extension (secrets have been removed):

public static class MemberAuthenticationExtensions
{
    public static IUmbracoBuilder ConfigureAuthenticationMembers(this IUmbracoBuilder builder)
    {
        builder.Services.ConfigureOptions<EntraIDB2CMembersExternalLoginProviderOptions>();
        builder.AddMemberExternalLogins(logins =>
        {
            builder.Services.ConfigureOptions<EntraIDB2CMembersExternalLoginProviderOptions>();
            builder.AddMemberExternalLogins(logins =>
            {
                logins.AddMemberLogin(
                    membersAuthenticationBuilder =>
                    {
                        membersAuthenticationBuilder.AddMicrosoftAccount(

                            // The scheme must be set with this method to work for the external login.
                            membersAuthenticationBuilder.SchemeForMembers(EntraIDB2CMembersExternalLoginProviderOptions.SchemeName),
                            options =>
                            {
                                // Callbackpath: Represents the URL to which the browser should be redirected to.
                                // The default value is /signin-oidc.
                                // This needs to be unique.
                                options.CallbackPath = "/umbraco-microsoft-signin/";

                                //Obtained from the ENTRA ID B2C WEB APP
                                options.ClientId = "CLIENT";
                                //Obtained from the ENTRA ID B2C WEB APP
                                options.ClientSecret = "SECRET";


                                // If you are using single-tenant app registration (e.g. for an intranet site), you must specify the Token Endpoint and Authorization Endpoint:
                                options.TokenEndpoint = $"https://login.microsoftonline.com/TENANT/oauth2/v2.0/token";
                                options.AuthorizationEndpoint = $"https://login.microsoftonline.com/TENANT/oauth2/v2.0/authorize";

                                options.SaveTokens = true;
                            });
                    });
            });
        });
        return builder;
    }
}

Specifics

No response

Steps to reproduce

We are using an Azure AD integration (not B2C) which may require a client to be setup on an Azure AD Tenant.

We have essentially copied this line for line into a project:

https://docs.umbraco.com/umbraco-cms/tutorials/add-microsoft-entra-id-authentication

Expected result / actual result

For the OnAutoLinking and OnExternalLogin to be wired up correctly and the Configure methods of the EntraIDB2CMembersExternalLoginProviderOptions to be run.

[github-actions]

Hi there @r-modica-cti!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

[NguyenThuyLan]

Hi @r-modica-cti , thank you for reporting the issue. I'm trying to reproduce it, I'll let you know as soon as possible 🚀

[NguyenThuyLan]

Hi again @r-modica-cti , I am using v13.5.0 and unfortunately I cannot reproduce this issue, can you confirm that when you register a web application in Azure AD, you enable ID token implicit grant? like this tutorial https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga