Back office user updates to support OAuth and 8.9 features #9470
Conversation
…ice login providers"" Signed-off-by: Bjarke Berg <mail@bergmania.dk>
…ers and debug why the styles aren't working"" Signed-off-by: Bjarke Berg <mail@bergmania.dk>
…er"" Signed-off-by: Bjarke Berg <mail@bergmania.dk>
…cated under the back office scheme"" Signed-off-by: Bjarke Berg <mail@bergmania.dk>
…Controller for endpoints that aren't authorized (and simplifies)"" Signed-off-by: Bjarke Berg <mail@bergmania.dk>
Signed-off-by: Bjarke Berg <mail@bergmania.dk>
Shazwazza
changed the title
…rs, simplifies gulp so we aren't building 2x.
…ct so we have acess to necessary services, splits apart files, removes old code, starts implementing the 2fa stuff
Shazwazza
changed the title
src/Umbraco.Web.BackOffice/Controllers/PublishedSnapshotCacheStatusController.cs
Show resolved
Hide resolved
| /// </summary> | ||
| /// <param name="throwExceptions">set to true if you want exceptions to be thrown if failed</param> | ||
| /// <returns></returns> | ||
| ValidateRequestAttempt AuthorizeRequest(bool throwExceptions = false); |
There was a problem hiding this comment.
No longer needed, the more we can remove from this the better
…ature/2FAuth # Conflicts: # src/Umbraco.Tests.Integration/TestServerTest/TestAuthHandler.cs # src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs # src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs # src/Umbraco.Web.BackOffice/Controllers/ContentController.cs # src/Umbraco.Web.BackOffice/Controllers/ContentTypeController.cs # src/Umbraco.Web.BackOffice/Controllers/MediaTypeController.cs # src/Umbraco.Web.BackOffice/Controllers/UsersController.cs # src/Umbraco.Web.BackOffice/Filters/DenyLocalLoginAuthorizationAttribute.cs # src/Umbraco.Web.BackOffice/Filters/OverrideAuthorizationFilterProvider.cs # src/Umbraco.Web.Common/Filters/UmbracoBackOfficeAuthorizeAttribute.cs # src/Umbraco.Web.Common/Filters/UmbracoBackOfficeAuthorizeFilter.cs
…ntroller/BackOfficeController
…ith the fix of returning the task instance from within MoveViewsAndRegenerateJS
|
This was reviewed and approved by @bergmania who's authorized me to merge :P |
|
For the record, I reviewed this, but we discussed over zoom :) |
Interesting what was wrong with the default?
Something sounds off here, shouldn't each auth provider have their own cookie used for the authentication flow? |
Nothing, it's just that you can have one for the front end members and one for the back end users, they cannot share the same path because they have different configurations. By convention - though it's not a rule is to prefix the path with "umbraco-". This could be anything you want, just so long as it doesn't overlap with another.
What is off here is that this library https://github.com/AzureAD/microsoft-identity-web/ tries to do way to much. It automatically tries to configure all of your auth including your default cookie auth. I have an issue to raise and/or comment on but it's also related to
There should be an option to not configure any cookie authentication, just like normal OpenIdConnect, Google, etc... providers. This library is trying to be too 'simple' and just do everything for you. See
Sure we could avoid this hack but it would mean duplicating almost all of their code here https://github.com/AzureAD/microsoft-identity-web/blob/b9de3cc12a58864f24e03538279d5577185e6788/src/Microsoft.Identity.Web/WebAppExtensions/MicrosoftIdentityWebAppAuthenticationBuilderExtensions.cs#L255 For this test, not specifying anything for the "cookieScheme" would work fine, we set the SignInScheme to be the umbraco back office one here https://github.com/umbraco/Umbraco-CMS/pull/9470/files#diff-655b7862f1cff88520b0766af2912c6eadcf0448565c839404f907a6e58fe0aeR59 , however if you had normal cookie authentication enabled for your own front end then their method would throw an exception since it's trying to configure 2x the same cookie auth. Hence this work around. |
|
heh I don't think microsoft-identity-web existed last time I integrated azure ad, guessing it would have been MSAL, sorry for your pain |
|
What am I missing here ?
|
Once we merged 8.9 up, we then have to reimplement most things because it's all changed in aspnetcore.
So this re-implements OAuth along with the 8.9 features that didn't automatically merge among other things:
IBackOfficeSignInManagerIsAuthenticated,PostLogoutandGetRemainingTimeoutSeconds, instead rely on the standard aspnetcore authentication and ClaimsPrincipal methods.BackOfficeController& fixes AuthN for unathorized endpointsIBackOfficeTwoFactorOptionsand the defaultNoopBackOfficeTwoFactorOptionsto allow for end users to be able to supply an angular view to show the 2FA dialog to the back office user (just like in v8). This is simpler than in v8 where the interface was required to be implemented by the user manager, now it's just it's own service that can be replaced.IUserTwoFactorStorebecause we don't support that store OOTB, just like in v8. For 2FA support (just like v8) it will require the user to replace our store, implement the required IUserTwoFactorStore, the DB changes necessary and override the UpdateAsync method to persist it all properly. It will be slightly easier to replace in netcore than in v8 due to better DI support and no OWIN and also not requiring replacing the user manager, but will still require most of the principles and code found in this project https://github.com/Offroadcode/Umbraco-2FA. Some time in the future if required the CMS codebase can fully implement 2FA which now in aspnetcore requires a lot more implementation logic, for now it will be entirely up to the end user (just like v8)BackOfficeExternalLoginProvider) with identity's external login provider configuration. There is no built in way to do this so we need to wrap those calls and use our ownBackOfficeAuthenticationBuilderinstance to do the association ofBackOfficeExternalLoginProviderOptionswith the corresponding external login Scheme which registers aBackOfficeExternalLoginProviderto be resolved later. Then ensure that it's OAuth options are always configured correctly for the back office (SignInScheme)Testing
In the UI.NetCore project you can install these packages for testing:
In Startup your ConfigureServices could look like the below. This enables a Google and Azure AD provider. Ensure you fill in your own details. You can basically follow these instructions for Azure Ad https://shazwazza.com/post/configuring-azure-active-directory-login-with-umbraco/ EXCEPT that the redirect url must be what is below:
/umbraco-signin-oidcinstead of/umbraco. For Google you just follow this https://developers.google.com/identity/protocols/oauth2 and use the below redirect path:/umbraco-google-signinThen you can play around with those options, like:
denyLocalLoginwhich will mean it won't let you login locally,autoRedirectLoginToExternalProviderwhich will auto redirect to that provider when you hit the login page, specifyingExternalSignInAutoLinkOptions(true)(true) to enable auto-linking which will automatically create a local user and link them, you can breakpoint in the callbacks to make sure they are working. I've tested all this and it works on my machine.NOTE: the weirdness with the Azure Ad stuff, that is because the package
Microsoft.Identity.Webtries to do too much and there's no way around that. It will try to AddCookie authentication when we already have it. It's pretty silly and I have a GH issue to open about that, for now the work around is to use a "Fake" scheme which will just add a fake cookie auth scheme that isn't used since we redirect this using options to the back office scheme.New tasks
UpdateExternalAuthenticationTokensAsyncinBackOfficeController.ExternalLinkLoginCallbackto persist external login information. This is built into aspnetcore identity and it wasn't before. Things like UmbracoId need to hack around this but now that it's built in we should automatically handle it. See TODO.