Umbraco 13 .Net Core Cookie Authentication Breaks Backoffice

[imadtbro]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

13.4.1

Bug summary

Implementing Cookie Based Authentication (https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0) and using it to login causes logging into the back office break.

Specifics

After implementing Cookie Based Authentication and using it to login on the frontend, logging into the back office returns an angular error:

Possibly unhandled rejection: The user object is invalid, the remainingAuthSeconds is required.

Cookie Based Implementation is as follows:

Create UmbracoBuilderExtensions class to set up cookie based authentication details:

public static class UmbracoBuilderExtensions
{
	public static IUmbracoBuilder AddUserCookieAuthentication(this IUmbracoBuilder builder, string cookieName)
	{
		builder.AddMemberExternalLogins(logins =>
		{				
			logins.AddMemberLogin(
				memberAuthenticationBuilder =>
				{
					string strSchemeName = CookieAuthenticationDefaults.AuthenticationScheme;

					memberAuthenticationBuilder.AddCookie(strSchemeName, objCookieAuthenticationOptions =>
					{
						objCookieAuthenticationOptions.Cookie.Name = cookieName;							
					});

					builder.Services.AddAuthentication(options =>
					{
						options.DefaultAuthenticateScheme = strSchemeName;							
					});
					builder.Services.AddAuthorization();
				});
		});
		return builder;
	}
}

Add Builder Extension to Configure Services in Startup.cs:

services.AddUmbraco(_env, _config)
     .AddBackOffice()
     .AddWebsite()
     .AddComposers()
     .AddUserCookieAuthentication(cookieName: "MyAuthCookie")  
     .AddAzureBlobMediaFileSystem() // This configures the required services for Media
     .AddAzureBlobImageSharpCache() // This configures the required services for the Image Sharp cache                   
     .Build();

Add Use Authentication to app build in Startup.cs

app.UseUmbraco()
                .WithMiddleware(u =>
                {
                    u.UseBackOffice();
                    u.UseWebsite();
					u.AppBuilder.UseAuthentication();
				})
                .WithEndpoints(u =>
                {
                    u.UseInstallerEndpoints();
                    u.UseBackOfficeEndpoints();
                    u.UseWebsiteEndpoints();
                });

Set up a simple login functionality into a home page controller:

try
{
	var claims = new List<Claim>
	{
		new Claim(ClaimTypes.Name, "user record"),
		new Claim(ClaimTypes.Role, "individualuser"),
	};

	var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
	var authProperties = new AuthenticationProperties
	{
		AllowRefresh = true,
		IsPersistent = true,
	};

	if(_httpContextAccessor.HttpContext != null)
	{
		await _httpContextAccessor.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(claimsIdentity), authProperties);

		_logger.LogInformation("User {record} logged in at {Time}.", "user record", DateTime.UtcNow);
	} else
	{
		_logger.LogError($"There is no context for logging in");
	}

	

} catch (Exception ex) {
	var err = ex.Message;
	_logger.LogError($"Logging in user error {ex.Message}");
}

The "_httpContentAccessor" is IHttpContextAccessor injected into the home page controller.

This implementation successfully logs the user in. Calling "_httpContextAccessor.HttpContext.User.Identity.IsAuthenticated" successfully returns true after executing this code.

Performing a "_httpContextAccessor.HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);" will successfully log the user out and makes calling "_httpContextAccessor.HttpContext.User.Identity.IsAuthenticated" return false.

While a frontend user is logged in, logging into the back office works, but the error mentioned above immediately happens and causes the back office to not load.

Logging out the frontend user returns the back office to working correctly.

Steps to reproduce

Implementing the code in the above specifics section.
Logging in a user on the front end.
Logging into the back office while a front end user is logged in causes the error to happen.

Expected result / actual result

The expected result is that the back office will still load properly whether a front end user is logged in or not.

The actual result is the back office not loading properly.

I'm not sure if this is a bug or has to do with how I have this implemented. We are rebuilding an Umbraco 8 site in Umbraco 13. The Umbraco 8 site made use of the cookie based authentication and worked fine.

[github-actions]

Hi there @imadtbro!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂