U4-10444 - External Logins have stopped working since the 7.7.1 update when using auto linking

Created by Sam 21 Sep 2017, 07:07:30 Updated by Asbjørn Riis-Knudsen 01 Oct 2017, 12:00:29

Tags: Unscheduled PR

Is duplicated by: U4-10489

Subtask of: U4-9609

I've just upgraded a project with Active Directory as an External Login Provider and it has stopped working completely. :/

Just debugging the problem I've identified two issues so far:

  1. As soon as Umbraco tries to autolink an external login to a new user it fails with a NullReferenceException here: public void AddRole(string role) { Roles.Add(new IdentityUserRole ); } because Roles is null. I was able to able to create the Roles parameter in the constructor to keep going, but came across the second issue:

  2. After auto linking is complete (BackOfficeController.AutoLinkAndSignInExternalAccount) Umbraco doesn't actually create an entry in the DB to link the newly created. That means the first time I log in everything works well, but every consecutive time I try to login using the external provider I get an error "A user with this email address already exists locally. You will need to login locally to Umbraco and link this external provider: [...]". Which makes sense, since there is no external account connected to the user, but the user with that email address now already exists in the database.

Please help!! Thanks


Sam 21 Sep 2017, 07:25:38

Update after further debugging: I found the piece of code that's responsible for persisting the external link: if (user.IsPropertyDirty("Logins")) { var logins = await GetLoginsAsync(user); _externalLoginService.SaveUserLogins(found.Id, logins); } The problem is that user.IsPropertyDirty("Logins") is always false even after a new (external) Login was assigned. If I manually execute the code in the brackets (the SaveUserLogins), it all works fine.

Shannon Deminick 21 Sep 2017, 08:00:17

Kudos for investigating! we'll have a look shortly but a 7.7.2 release won't make it out until most likely Oct 3 (small chance it could be Sept 26)

Sam 22 Sep 2017, 03:59:18

@Shandem I created a pull request with a quick fix, you might want to change it, since it might be a bit crude, but it clearly illustrates what the problems are. https://github.com/umbraco/Umbraco-CMS/pull/2208

Bjørn Isaksen 25 Sep 2017, 13:38:50

It might not be related, but while debugging this issue I also noted it rewrites the url I use as AuthenticationType from https to http.

I set wsFedOptions.AuthenticationType="https://sts.larvik.kommune.no/adfs/services/trust"; I then recieve an error in the log (note the https rewrite): 2017-09-25 15:32:39,772 [P12996/D24/T66] WARN Umbraco.Web.Editors.BackOfficeController - Could not find external authentication provider registered: http://sts.larvik.kommune.no/adfs/services/trust

Also the following error comes in the login dialog when trying to autocreate and link (again https rewrite): The requested provider (http://sts.larvik.kommune.no/adfs/services/trust) has not been linked to to an account

If I use http in my authenticationtype and not https, it progresses further and fails on AddRole as stated in this issue

Shannon Deminick 27 Sep 2017, 12:21:55

@bai I'm not sure if that is related to this - can you test with 7.6.x? I don't think that sort of logic was touched for 7.7.x

Shannon Deminick 27 Sep 2017, 12:28:38

Thanks @sam all merged in and the changes are just fine :)

Bjørn Isaksen 27 Sep 2017, 13:53:25

@Shandem the rewrite is also happening on a clean install of 7.6.8 so not specifically related to 7.7.1. The warning does not show up in the logs however on 7.6.8, so maybe 7.7.1 does something in addition causing this.

However I did notice something interesting on the 7.6.8 test. If I set my authenticationtype=https://sts.larvik.kommune.no/adfs/services/trust, it doesnt seem to understand that my account is linked. The logon using adfs works, but it shows "Link your ad fs account" when it is already linked.

If I change my authenticationtype to http://sts.larvik.kommune.no/adfs/services/trust, it detects that the accounts are linkend and show "un-link your ad fs account".

So it seems there is a rewrite of this address from https to http causing some confusion. Was that understandable? I could create a video to show it better if necessary

Shannon Deminick 27 Sep 2017, 14:04:46

@bai yup i understand. You'll need to create a separate issue about this but i don't actually think it's Umbraco that is doing anything, it is the openidconnect provider or the oauth server that is doing this.

Priority: Show-stopper

Type: Bug

State: Fixed


Difficulty: Difficult

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.7.1

Due in version: 7.7.2

Sprint: Sprint 68

Story Points: 0.5