Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Traditionally when using External login providers (OAuth), a backoffice user or website member will need to exist first and then that user can link their user account to an external login provider in the backoffice or edit profile page.
In many cases, however, the external login provider you install will be the source of truth for all of your users.
In this case, you will want to provide a Single Sign On (SSO) approach to logging in. This would enable the creating of user accounts on the external login provider and then automatically give them access to Umbraco. This is called auto-Linking.
To enable auto linking you have to implement a custom named configuration of BackOfficeExternalLoginProviderOptions or MemberExternalLoginProviderOptions for users or members, respectively.
This example shows connection to an Open ID Connect Service such as IdentityServer4 or OpenIDDict
You can first create a OpenIdConnectBackOfficeExternalLoginProviderOptions.cs file which configures the options like
Additionally, there are more advanced properties for BackOfficeExternalLoginProviderOptions:
BackOfficeExternalLoginProviderOptions.CustomBackOfficeView
Allows for specifying a custom angular HTML view that will render in place of the default external login button. The purpose of this is in case you want to completely change the UI but also in these circumstances:
You want to display something different where external login providers are listed: in the login screen vs the backoffice panel vs on the logged-out screen. This same view will render in all of these cases but you can use the current route parameters to customize what is shown.
You want to change how the button interacts with the external login provider. For example, instead of having the site redirect on button-click, you want to open a popup window to load the external login provider.
The path is a virtual path, for example: "~/App_Plugins/MyPlugin/BackOffice/my-external-login.html"
When specifying this view it is 100% up to your angular view and affiliated angular controller to perform all required logic.
To register this configuration class, you can call the following from your startup.cs:
We recommend to create an extension method on the IUmbracoBuilder, to add the Open Id Connect Authentication, like this This extension can also handle the configuration of OpenIdConnectBackOfficeExternalLoginProviderOptions:
Finally this extension can also be called from the Startup.cs like the example below:
For some providers, it doesn't make sense to use auto-linking. This is especially true for public providers such as Google or Facebook. In those cases, it would mean that anyone who has a Google or Facebook account can log into your site. For public providers such as this, if auto-linking was needed you would need to limit the access by domain or other information provided in the Claims using the options/callbacks specified in those provider's authentication options.
The way to implement auto linking for members is fairly similar to how it is for users. The main difference is the UI, where Umbraco do not have a fixed login page for members. Instead, Umbraco ships with some Partial Macro Snippets for Login and EditProfile that contains handling of Login and manual linking of the configured external member providers.
When auto-linking is enabled, only the Login snippet is relevant as users do not have to register before.
The following example will show how to use Google and external login provider. You can first create a GoogleMemberExternalLoginProviderOptions.cs file which configures the options like
To register this configuration class, you can call the following from your startup.cs:
Like for users, we recommend creating an extension method on the IUmbracoBuilder, to add the Google Authentication, like this. This extension can also handle the configuration of GoogleMemberExternalLoginProviderOptions:
Finally this extension can also be called from the Startup.cs like the example below:
Auto-linking only makes sense if you have a public member registration anyway or the external provider does not have public account creation.
If you have configured auto-linking, then any auto-linked user or member will have an empty password assigned and they will not be able to log in locally (via username and password). In order to log in locally, they will have to assign a password to their account in the backoffice or the edit profile page.
For users only, if the DenyLocalLogin option is enabled, then all password changing functionality in the backoffice is also disabled and local login is not possible.
In some cases you may want to flow a Claim returned in your external login provider to the Umbraco backoffice identity's Claims (the authentication cookie). This can be done during the OnAutoLinking and OnExternalLogin.
Reason for this could be to store the external login provider user ID into the backoffice identity cookie. That way it can be retrieved on each request in order to look up some data in another system that needs the current user id from the external login provider.
Do not flow large amounts of data into the backoffice identity because this information is stored into the backoffice authentication cookie and cookie limits will apply. Data like JWT tokens need to be persisted somewhere to be looked up and not stored within the backoffice identity itself.
This is a very simplistic example for brevity, no null checks, etc...
In some cases, you may need to persist data from your external login provider like Access Tokens, etc. You can persist this data to the affiliated user's external login data via the IExternalLoginWithKeyService. The void Save(Guid userOrMemberKey,IEnumerable<IExternalLoginToken> tokens) overload takes a new model of type IEnumerable<IExternalLogin>. IExternalLogin contains a property called UserData. This is a blob text column so can store any arbitrary data for the external login provider.
Be aware that the local Umbraco user must already exist and be linked to the external login provider before data can be stored here. In cases where auto-linking occurs and the backoffice user isn't yet created, you will most likely need to store this data in memory. First, during auto-linking and then persist this data to the service once the user is linked and created.
Having the ability to replace the logic to validate a username and password against a custom data store is important to some developers. Normally in ASP.Net Core Identity this would require you to override the UmbracoBackOfficeUserManager.CheckPasswordAsync implementation and then replace the UmbracoBackOfficeUserManager with your own class during startup. Since this is a common task we've made this process a lot easier with an interface called IBackOfficeUserPasswordChecker.
Here are the steps to specify your own logic for validating a username and password for the backoffice:
Create an implementation of Umbraco.Cms.Core.Security.IBackOfficeUserPasswordChecker
There is one method in this interface: Task<BackOfficeUserPasswordCheckerResult> CheckPasswordAsync(BackOfficeIdentityUser user, string password);
The result of this method can be 3 things:
ValidCredentials = The credentials entered are valid and the authorization should proceed
InvalidCredentials = The credentials entered are not valid and the authorization process should return an error
FallbackToDefaultChecker = This is an optional result which can be used to fallback to Umbraco's default authorization process if the credentials could not be verified by your own custom implementation
For example, to always allow login when the user enters the password test you could do:
Register the MyPasswordChecker in your Startup.ConfigureServices method:
If the username entered in the login screen does not exist in Umbraco, then MyPasswordChecker() does not run. Instead, Umbraco will immediately fall back to its internal checks, which is the default Umbraco behavior.
The BackOfficeUserManager is the ASP.NET Core Identity UserManager implementation in Umbraco. It exposes APIs for working with Umbraco User's via the ASP.NET Core Identity including password handling.
The BackOfficeUserManager is the ASP.NET Core Identity UserManager implementation in Umbraco. It exposes APIs for working with Umbraco Users via the ASP.NET Core Identity including password handling.
The BackOfficeUserManager can be replaced during startup in order to use your own implementation. This may be required if you want to extend the functionality of the BackOfficeUserManager for things like supporting two-factor authentication(2FA).
You can replace the BackOfficeUserManager in the startup class by using the SetBackOfficeUserManager extension on the IUmbracoBuilder.
You can then implement your custom BackOfficeUserManager, like this. Note the constructor minimum needs to inject what is required for the base BackOfficeUserManager class:
There are many notifications you can handle on the BackOfficeUserManager. Internally these are mainly used for auditing but there are some that allow you to customize some workflows:
SendEmailNotification
This is a generic notification but it has a property EmailType that specify the email type. This type can be UserInvite. In that case, it allows you to take control over how a user in the backoffice is invited. This might be handy if you are using an External Login Provider that has the DenyLocalLogin option assigned and you still want to have the user invite functionality available. In this setup, all of your users are controlled by your external login provider so you would need to handle the user invite flow yourself by using this event and inviting the user via your external provider. If you are using this event to replace the default functionality you will need to tell Umbraco that you've handled the invite by calling the SendEmailNotification.HandleEmail() method.)
UserLogoutSuccessNotification
This is specifically used if you have an External Login Provider in use and you want to log out of that external provider when the user is logged out of the backoffice (that is log out of everywhere). The notification has a property SignOutRedirectUrl. If this property is assigned then Umbraco will redirect to that URL upon successful backoffice sign out in order to sign the user out of the external login provider.
There is one default admin user in any Umbraco installation. This is the first user of the system.
The first step is to clear the connection string to the database in the configuration. This is done to trigger the installation wizard.
That means that in your appsettings configuration files it should look like this:
Note that configuration can be read from many sources
Remember to check this connection string is not provided through environment variables or other configuration sources.
If you now open your browser and surf to the website, you will see that the installer launches. Enter your new details, and use the original connection string. You are good to go.
Make sure you protect a production websites from being highjacked as anyone will be able to reset the password during the last step. This does also work if your site is in an upgrading state.
It's impossible to brute force the authentication on the login screen because after MaxFailedAccessAttemptsBeforeLockout the account of the user will be locked, and until that account is unlocked in the Users section, no attempt will succeed.
When you submit the password reset form, an email is sent to the user with a link. This link contains a random token for this user that is valid for 24 hours.
The settings AllowPasswordReset is documented in the Umbraco Security Settings and e-mail configuration settings in Backoffice Login Password Reset Section
If the user that is specified in the form does not exist, no e-mail will be sent and there will be no response in the form that this user does not exist. This is done to prevent leaking which users have an account.
If a user is locked out, it is possible to do a password reset. After the e-mail with the password reset link is followed, the user will still be locked out unless the user has specified the new password, in which case the user will automatically be unlocked.
If you lost the admin user password and you need to reset it, check this article.
This section includes information on Umbraco security, its various security options and configuring how authentication & authorization works in Umbraco
In this article, you will find everything you need regarding security within Umbraco.
On our main website, we have a dedicated security section which provides all the details you need to know about security within the Umbraco CMS. This includes how to report a vulnerability.
We highly encourage the use of HTTPS on Umbraco websites, especially in production environments. By using HTTPS you greatly improve the security of your website.
In the "Use HTTPS" article you can learn more about how to use HTTPS and how to set it up.
Learn which password settings that can be configured in Umbraco.
Learn about how to harden the security on your Umbraco website to secure it even further.
When your project is hosted on Umbraco Cloud, you might be interested in more details about the security of the hosting. This information can be found in the Umbraco Cloud FAQs section of the documentation.
Authentication for backoffice users and website members in Umbraco uses ASP.NET Core Identity which is a flexible and extendable framework for authentication.
Out of the box Umbraco ships with a custom ASP.NET Core Identity implementation which uses Umbraco's database data. Normally this is fine for most Umbraco developers, but in some cases the authentication process needs to be customized.
The Umbraco users and members supports external login providers (OAuth) for performing authentication of your users/members. This could be any OpenIDConnect provider such as Entra ID/Azure Active Directory, Identity Server, Google or Facebook.
The Umbraco members supports a two-factor authentication (2FA) abstraction for implementing a 2FA provider of your choice. This could be any Time-based One-time Password (TOTP) Algorithm, including Microsoft and Google Authenticator Apps
The BackOfficeUserManager is the ASP.NET Core Identity UserManager implementation in Umbraco. It exposes APIs for working with Umbraco Users via the ASP.NET Core Identity including password handling.
In most cases External login providers (OAuth) will meet the needs of most users when needing to authenticate with external resources but in some cases you may need to only change how the username and password credentials are checked.
This is typically a legacy approach to validating credentials with external resources but it is possible.
You are able to check the username and password against your own credentials store by implementing a IBackOfficeUserPasswordChecker.
Marking fields as sensitive will hide the data in those fields for backoffice users that do not have permission to view personal data of members.
Learn more about this in the Sensitive Data article.
How to configure Umbraco to run on a FIPS compliant server.
Use this guide to reset the password of the "admin" user.
If you need to reset accounts of every other user while you still have administrative action, check this "reset normal user password" article.
Umbraco supports supports external login providers (OAuth) for performing authentication of your users and members. This could be any OpenIDConnect provider such as Azure Active Directory, Identity Se
Both the Umbraco backoffice users and website members supports external login providers (OAuth) for performing authentication of your users or members. This could be any OpenIDConnect provider such as Entra ID/Azure Active Directory, Identity Server, Google or Facebook.
Unlike previous major releases of Umbraco the use of Identity Extensions package is no longer required.
Install an appropriate nuget package for the provider you wish to use. Some popular ones found in Nuget include:
Try it out
This community-created package with a complete Umbraco solution incl. an SQLite database demonstrates how OpenID Connect can be used: Umbraco OpenIdConnect Example.
This community-created package will allow you to automatically create Umbraco user accounts for users in your directory. This will then associate the Umbraco users with groups based on their AD group: Umbraco.Community.AzureSSO.
It is great for testing and for trying out the implementation before building it into your own project.
To configure the provider create a new static extension class for your provider and configure a custom named options like GoogleBackOfficeExternalLoginProviderOptions described in details in the auto linking section. The code example below shows how the configuration for Google Authentication can be done. You can find an example for how this can be done with Microsoft in the Authenticating on the Umbraco backoffice with Active Directory credentials article.
And another, but fairly similar, example of configuration for Google Authentication for members may look like:
Finally, update ConfigureServices in your Startup.cs class to register your configuration with Umbraco. An example may look like:
For a more in depth article on how to setup OAuth providers in .NET refer to the Microsoft Documentation.
Depending on the provider you've configured and its caption/color, the end result will look similar to this for users:
Because Umbraco do not control the UI of members, this can be setup to look exactly like you would like, but Umbraco ships with partial macro snippets for Login that will show all configured external login providers.
Traditionally a backoffice user or members will need to exist first and then that user can link their user account to an external login provider in the backoffice. In many cases however, the external login provider you install will be the source of truth for all of your users.
In this case, you would want to be able to create user accounts in your external login provider and then have that user given access to the backoffice without having to create the user in the backoffice first. This is done via auto-linking.
This could also be the case for members if your website allows public creation of members. In this case, the creation process can be simplified by allowing auto-linking the external account. E.g. using Facebook, Twitter or Google.
Read more about auto linking.
The cookies listed in this article are required only for accessing the Backoffice. You can include these in your own cookie policy, if you wish.
The below cookies are necessary for accessing the Umbraco Backoffice and functioning of the website. They allow you to enjoy the contents and services you request.
| Name | Purpose | Expiration |
|---|---|---|
The UMB_SESSION cookie is secure if you are using HTTPS pages. However, if you wish to secure the cookie in your code, add the following in the Program.cs file after Build();
For information on the rest of the cookies, see the Constants-Web.cs file on Github.
Here you find some tips and trick for hardening the security of your Umbraco installation.
It’s considered a good practice to lock down the Umbraco folder to specific IP addresses and/or IP ranges to ensure this folder is not available to everyone.
The prerequisite of this to work is that you’re using
If you’ve made sure that you’ve installed this on your server we can start locking down our Umbraco folder. This can be down by following these three steps.
We are going to lock down /Umbraco/, but because API-controllers and Surface-controller will use the path /umbraco/api/ and /umbraco/surface/ these will also be locked down. Our first rule in the IISRewrite.config will be used to make sure that these are not locked by IP-address.
Some older versions of Umbraco also relied on /umbraco/webservices/ for loadbalancing purposes. If you're loadbalancing you should also add umbraco/webservices to the rule.
Get the IP-addresses of your client and write these down like a regular expression. If the IP-addresses are for example 213.3.10.8 and 88.4.43.108 the regular expression would be "213.3.10.8|88.4.43.108".
Lock down the Umbraco folder by putting this rule into your IISRewrite-rules
If your server is behind a load balancer, you should use {HTTP_X_FORWARDED_FOR} instead of {REMOTE_ADDR} as the input for the rule.
If you now go to /umbraco/ from a different IP-address the login screen will not be rendered.
This tutorial walks through configuring Umbraco and Lucene to be FIPS compliant and serve up websites on a server with FIPS enabled.
FIPS should only be added for compliance. It is not a recommended approach for added security. For more information read
The Federal Information Processing Standard (FIPS) Publication 140-2, (), is a U.S. government computer security standard used to define approved cryptographic modules. The FIPS 140 standard also sets forth requirements for key generation and for key management.
Microsoft Windows has a "FIPS mode" of operation where it detects the cryptographic algorithms used by software running on it and will throw exceptions if it detects the use of non-FIPS compliant algorithms. Using MD5 hashing is generally the biggest culprit of issues running on FIPS enabled servers.
FIPS can be enabled through your Local Group Policy, Registry Setting, or Network Adapter setting. For more information about how to enable FIPS mode on Windows see this tutorial:
Umbraco 7.6.4+ has implemented checks for when FIPS mode is enabled on the server that it is installed on. When FIPS mode is detected, the cryptographic algorithms for hashing are changed to a FIPS compliant algorithm. When FIPS mode is disabled, then Umbraco uses backward compatible algorithms (MD5) so as not to affect existing installs. As of Umbraco version 7.6.4, the FIPS compliant cryptographic algorithm used is SHA1.
Since Umbraco 9, the dependency to Lucene.NET is updated to version 4+. Thereby are both Umbraco and all key dependencies FIPS compliant.
Can I install Umbraco directly on a version of Windows with FIPS mode enabled?
Installing to the FIPS server may not work. It's best to deploy an existing known working version to the FIPS server.
The settings for Umbraco passwords are configurable in appsettings. There are two different configuration objects - One for Umbraco Members and one for Users.
For more information see the .
Umbraco backend users can , or if they try too much, have a locked out account.
To deactivate the User password reset look at the section.
To configure password reset verify the section.
If set to false this can be used to try to render pages in a way that they are not supposed to
If set to false this can be used to do an enumeration of the nodes in your website and find hidden pages.
Umbraco Forms: and DisableFormCaching
In production environments it is highly recommend that you enforce the use of HTTPS (UseHttps). It grealy increases the general trust of your site and guards you against various attacks, like 'Man in
We highly encourage the use of HTTPS on Umbraco websites especially in production environments. By using HTTPS you greatly improve the security of your website.
There are several benefits of HTTPS:
Trust - when your site is delivered over HTTPS your users will see that your site is secured, they are able to view the certificate assigned to your site and know that your site is legitimate
Removing an attack vector called (or network Sniffing)
Guards against , an attacker will have a hard time obtaining an authentic SSL certificate
Google likes HTTPS, it may help your site's rankings
Another benefits of HTTPS is that you are able to use the protocol if your web server and browser support it.
Umbraco allows you to force HTTPS for all backoffice communications by using the following configuration:
In Umbraco 9, set the UseHttps key in appSettings to true.
This options does several things when it is turned on:
All non-https requests to any backoffice controller is redirected to https
All self delivered Umbraco requests (i.e. scheduled publishing, keep alive, etc...) are performed over https
All Umbraco notification emails with links generated have https links
All authorization attempts for backoffice handlers and services will be denied if the request is not over https
The .NET5+ way to handle this, is by adding this HttpsRedirectionMiddleware to your pipeline in Startup.cs. This can be done by adding app.UseHttpsRedirection(); before the call to app.UseUmbraco() in the Configure method:
Once you enable HTTPS for your site you should redirect all requests to your site to HTTPS, this can be done with an IIS rewrite rule. The IIS rewrite module needs to be installed for this to work, most hosting providers will have that enabled by default.
In your web.config find or add the <system.webServer><rewrite><rules> section and put the following rule in there. This rule will redirect all requests for the site http://mysite.com URL to the secure https://mysite.com URL and respond with a permanent redirect status.
The rule includes an ignore for localhost. If you run your local environment on a different URL than localhost you can add additional ignore rules. Additionally, if you have a staging environment that doesn't run on HTTPS, you can add that to the ignore rules too.
While the deprecated SSL (2.0 and 3.0) are not supported anymore by modern browsers, some of the Umbraco configuration still uses SSL. But rest assured, that is only the name.
Marking fields and properties on member data as sensitive will hide the data in those fields for backoffice users that are not privy to the data.
In this article, you will get an overview of how you can grant and/or deny your users access to sensitive data as well as how to mark data as sensitive.
Every new Umbraco installation ships with a default set of User Groups. One of them is the Sensitive data User Group. To give users in the backoffice access to view and work with sensitive data, they need to be part of the Sensitive data User Group.
Any users who are not part of the Sensitive data User Group, will not be able to see the data in the properties that are marked as sensitive. Instead, they will see a generic message: "This value is hidden. If you need access to view this value please contact your website administrator."
While not part of the Sensitive data User Group it is also not possible to export members or member data.
Follow these steps in order to grant a user access to sensitive data:
Navigate to the Users section in the Umbraco backoffice.
Ensure that Users is selected from the Users tree.
Select the Groups menu in the top-right corner.
Choose the Sensitive data group.
Click Add in the Users box on the right.
Select the users you want to give access to the sensitive data.
Click Submit.
Save the User Group.
The users you have added to the Sensitive data User Group will now be able to:
See member data that has been marked as sensitive,
Mark data and properties on Member Types as sensitive, and
Export members and member data.
Once your user is added to the Sensitive data User Group, you have access to add and configure member properties containing sensitive data.
Navigate to the Settings section in the Umbraco backoffice.
Open the Member Types in the Settings tree.
Select the Member Type you wish to edit.
Add a property or configure an existing property.
Locate the Is sensitive data option at the bottom of the Property settings dialog.
Click to enable.
Click Submit to update the property configuration.
Click Save to save the changes on the Member Type.
When the Is sensitive data option is enabled, the value and data in the property will only be visible to the users with access to sensitive data.
Ensures that the backoffice authentication cookie is set to (so it can only be transmitted over https)
In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or, formerly, its predecessor, Secure Sockets Layer (SSL) -
UMB_PREVIEW
Allows a previewed page to act as a published page only on the browser which has initialized previewing.
Session
UMB-WEBSITE-PREVIEW-ACCEPT
Client-side cookie that determines whether the user has accepted to be in Preview Mode when visiting the website.
Session
umb_installId
Used to store the Umbraco software installer id.
Session
UMB_UPDCHK
Enables your system to check for the Umbraco software updates.
Session
UMB-XSRF-V
Used to store the backoffice antiforgery token validation value.
Session
UMB-XSRF-TOKEN
Set for angular to pass in to the header value for "X-UMB-XSRF-TOKEN"
Session
TwoFactorRememberBrowser
Default authentication type used for storing that 2FA is not needed on next login
Session
UMB_SESSION
Preserves the visitor's session state across page requests.
Session
This section describes how you can implement File Validation
Sometimes it might be necessary to validate the contents of a file before it gets saved to disk when uploading trough the backoffice.
To help with this, Umbraco supplies a FileStreamSecurityValidator that runs all registered IFileStreamSecurityAnalyzer implementations on the file streams it receives from it's different file upload endpoints. When any of the analyzers deem the file to be unsafe, the endpoint disregards the file and shows a relevant validation message where appropriate. This all happens in memory before the stream is written to a temporary file location.
The IFileStreamSecurityAnalyzer needs a single method to be implemented:
IsConsideredSafe: This method should return false if the analyzer finds a reason not to trust the file
The following class shows how one could potentially guard against Cross-site scripting(XSS) vulnerabilities in an svg file.
You can register it during startup or with a composer.
This is an example of registering the class with a composer:
Then you can upload a file with the following content to the backoffice and see that it is not persisted.
This section describes how to sanitize the Rich Text Editor serverside
The rich text editor is sanitized on the frontend by default, however, you may want to do this serverside as well. The libraries that are out there tend to have very strict, and therefore, problematic dependencies, so we'll leave it up to you how you want to sanitize the HTML.
To make this task as easy as possible we've added an abstraction called IHtmlSanitizer, by default this doesn't do anything, but you can overwrite it with your own implementation to handle sanitization how you see fit. This interface only has a single method string Sanitize(string html), the output of this method is what will be stored in the database when you save a RichText editor.
To add your own sanitizer you must first create a class the implements the interface:
As you can see this specific implementation doesn't do a whole lot, but the Sanitize method is where you can use a library, or even your own sanitizer implementation, to sanitize the RichText editor input.
Now that you've added your own custom IHtmlSanitizer you must register it in the container to replace the existing NoOp sanitizer.
You can register it directly in the Startup.cs, for instance using an extension method on the IUmbracoBuilder:
Extension method:
Calling the extension method:
Or you can use a Composer:
If you've followed along you'll now see that no matter what you type in a Rich Text Editor, when you save it, it'll always only contain a heading that says "Sanitized HTML", this is of course isn't that helpful, but it shows that everything is working as expected, and that whatever your sanitizer returns is what will be saved.
Umbraco users and members support a two-factor authentication (2FA) abstraction for implementing a 2FA provider of your choice
Two-factor authentication (2FA) for Umbraco members is activated by implementing an ITwoFactorProvider interface and registering the implementation. The implementation can use third-party packages to archive for example support for authentication apps like Microsoft- or Google Authentication App.
If you are using Umbraco Cloud, you can enable multi-factor authentication in Umbraco ID. For more information, see the Multi-Factor Authentication article.
Since Umbraco does not control how the UI is for member login and profile edit, the UI for 2FA is shipped as part of the snippets for macros. These can be used as a starting point, before styling the page as you would like.
In the following example, we will use the GoogleAuthenticator NuGet Package. Despite the name, this package works for both Google and Microsoft authenticator apps and can be used to generate the QR code needed to activate the app for the website.
First, we create a model with the information required to set up the 2FA provider and then we implement the ITwoFactorProvider with the use of the TwoFactorAuthenticator from the GoogleAuthenticator NuGet package.
Now we need to register the UmbracoAppAuthenticator implementation. This can be done on the IUmbracoBuilder in your startup or a composer.
At this point, the 2FA is active, but no members have set up 2FA yet. The setup of 2FA depends on the type. In the case of App Authenticator, we will add the following to our view showing the edit profile of the member.
In this razor-code sample, we get the current member's unique key and list all registered ITwoFactorProvider implementations.
If the setupData is null for the specified providerName it means the provider is already set up. In this case, we show a disable button. Otherwise, we check the type and show the UI for how to set up the App Authenticator, by showing the QR Code and an input field to validate the code from the App Authenticator.
The last part required is to use the Login Partial Macro snippet.
When a 2FA login is requested for a member, the MemberTwoFactorRequestedNotification is published. This notification can also be used to send the member a one-time password via e-mail or phone. Even though these 2FA types are not considered secure as App Authentication, it is still a massive improvement compared to no 2FA.
Umbraco controls how the UI is for user login and user edits, but will still need a view for configuring each 2FA provider.
In the following example, we will use the GoogleAuthenticator NuGet Package. Despite the name, this package works for both Google and Microsoft authenticator apps and can be used to generate the QR code needed to activate the app for the website.
First, we create a model with the information required to set up the 2FA provider and then we implement the ITwoFactorProvider with the use of the TwoFactorAuthenticator from the GoogleAuthenticator NuGet package.
Now we need to register the UmbracoUserAppAuthenticator implementation and the view to show to set up this provider. This can be done on the IUmbracoBuilder in your startup or a composer.
Now we need to create the view we just configured, in the path we choose.
As this view uses an angular controller, we need to create that class and configure it in the package.manifest.
In package.manifest, we point to the path of the angular controller that we are creating in the next step.
And we create the controller in that location:
At this point, the 2FA is active, but no users have set up 2FA yet.
Each user can now enable the configured 2fa providers on their user. This can be done from the user panel by clicking the user avatar.
When clicking the Configure Two-Factor button, a new panel is shown, listing all enabled two-factor providers.
When clicking Enable on one of these, the configured view for the specific provider will be shown
When the authenticator is enabled correctly, a disable button is shown instead.
To disable the two-factor authentication on your user, it is required to enter the verification code, otherwise, admins are allowed to disable providers on other users.
When a 2FA login is requested for a user, the UserTwoFactorRequestedNotification is published. This notification can also be used to send the user a one-time password via e-mail or phone, even though these 2FA types are not considered secure as App Authentication, it is still a massive improvement compared to no 2FA.
While the 2FA is enabled, the user will be presented with this screen after entering the username and password.
