1 of 16

Security

This section includes information on Umbraco security, its various security options and configuring how authentication & authorization works in Umbraco

In this article, you will find everything you need regarding security within Umbraco.

The Umbraco Trust Center (external)

On our main website, we have a dedicated security section which provides all the details you need to know about security within the Umbraco CMS. This includes how to report a vulnerability.

Secure Sockets Layer (SSL)/HTTPS

We highly encourage the use of HTTPS on Umbraco websites, especially in production environments. By using HTTPS you greatly improve the security of your website.

In the "Use HTTPS" article you can learn more about how to use HTTPS and how to set it up.

Security Settings

Learn which password settings that can be configured in Umbraco.

Security Hardening

Learn about how to harden the security on your Umbraco website to secure it even further.

When your project is hosted on Umbraco Cloud, you might be interested in more details about the security of the hosting. This information can be found in the Umbraco Cloud FAQs section of the documentation.

Backoffice users and website members (external)

Authentication for backoffice users and website members in Umbraco uses ASP.NET Core Identity which is a flexible and extendable framework for authentication.

Out of the box Umbraco ships with a custom ASP.NET Core Identity implementation which uses Umbraco's database data. Normally this is fine for most Umbraco developers, but in some cases the authentication process needs to be customized.

The Umbraco users and members supports external login providers (OAuth) for performing authentication of your users/members. This could be any OpenIDConnect provider such as Entra ID/Azure Active Directory, Identity Server, Google or Facebook.

Two-factor authentication

The Umbraco members supports a two-factor authentication (2FA) abstraction for implementing a 2FA provider of your choice. This could be any Time-based One-time Password (TOTP) Algorithm, including Microsoft and Google Authenticator Apps

BackOfficeUserManager and Notifications

The BackOfficeUserManager is the ASP.NET Core Identity UserManager implementation in Umbraco. It exposes APIs for working with Umbraco Users via the ASP.NET Core Identity including password handling.

Custom password check

In most cases External login providers (OAuth) will meet the needs of most users when needing to authenticate with external resources. In some cases you may need to only change how the username and password credentials are checked.

This is typically a legacy approach to validating credentials with external resources but it is possible.

You are able to check the username and password against your own credentials store by implementing a IBackOfficeUserPasswordChecker.

Sensitive data on members

Marking fields as sensitive will hide the data in those fields for backoffice users that do not have permission to view personal data of members.

Learn more about this in the Sensitive Data article.

Setup Umbraco for a Federal Information Processing Standards (FIPS) Compliant Server

How to configure Umbraco to run on a FIPS compliant server.

Reset admin password

Use this guide to reset the password of the "admin" user.

If you need to reset accounts of every other user while you still have administrative action, check this "reset normal user password" article.

API rate limiting

How to take advantage of the built-in rate limiting middleware of ASP.NET Core in Umbraco.

Since ASP.NET Core 7, you can use the built-in rate limiting middleware to rate limit your APIs. You can apply the EnableRateLimiting and DisableRateLimiting attributes to add rate limiting on a controller or endpoint level. In this article, we will go through how you can configure and utilize different rate limiting strategies for Umbraco APIs.

What is rate limiting?

Rate limiting helps control the number of requests to an API, typically within a specified time frame or based on other parameters. This ensures the stability, availability, and security of your APIs. The key benefits are:

Preventing server or application overload
Improving security and protecting against DDoS attacks
Reducing unnecessary resource usage, thereby cutting down on costs

Configuring rate limiting

You can configure rate limiting in Umbraco by composition. To use the middleware, you need to register the rate limiting services first:

ApiRateLimiterComposer.cs

public class ApiRateLimiterComposer : IComposer
{
    public void Compose(IUmbracoBuilder builder)
    {
        builder.Services.AddRateLimiter(rateLimiterOptions =>
        {
            // Default is 503 (Service Unavailable)
            rateLimiterOptions.RejectionStatusCode = StatusCodes.Status429TooManyRequests;

            // Write your code to configure the middleware here (rate limiting policies)
        });
    }
}

After that, you have to apply the RateLimitingMiddleware by creating an Umbraco pipeline filter. UseRateLimiter() must be called after UseRouting(), therefore we use the PostRouting to make sure this happens in the correct order:

ApiRateLimiterComposer.cs

public class ApiRateLimiterComposer : IComposer
{
    public void Compose(IUmbracoBuilder builder)
    {
        builder.Services.Configure<UmbracoPipelineOptions>(options =>
        {
            options.AddFilter(new UmbracoPipelineFilter("UmbracoApiRateLimiter")
            {
                PostRouting = postRouting =>
                {
                    // Apply the RateLimitingMiddleware
                    // Must be called after UseRouting()
                    postRouting.UseRateLimiter();
                }
            });
        });
    }
}

With the set-up in place, let's take a look at some limiter options.

Global limiter

Inside AddRateLimiter() we can use the GlobalLimiter option to set a global rate limiter for all requests:

ApiRateLimiterComposer.cs

            // Write your code to configure the middleware here (rate limiting policies)

            // Use GlobalLimiter for all requests
            rateLimiterOptions.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(httpContext =>
            {
                return RateLimitPartition.GetFixedWindowLimiter(
                    partitionKey: httpContext.Request.Headers.Host.ToString(), 
                    partition => new FixedWindowRateLimiterOptions
                    {
                        PermitLimit = 2,
                        Window = TimeSpan.FromSeconds(10),
                        AutoReplenishment = true
                    });
            });

In the above example, we have added a FixedWindowLimiter and configured it to automatically replenish permitted requests and permit 2 requests per 10 seconds. There are different algorithms and techniques for implementing rate limiting, which can vary depending on your use case. For more information, check the currently supported rate limiter algorithms.

Limit specific endpoints

If you want to be more granular, you can configure different rate limits for different endpoints in AddRateLimiter() as well:

ApiRateLimiterComposer.cs

            // Write your code to configure the middleware here (rate limiting policies)

            // Add specific rate limiting policies
            rateLimiterOptions.AddFixedWindowLimiter(policyName: "fixed1", options =>
            {
                options.PermitLimit = 2;
                options.Window = TimeSpan.FromSeconds(10);
                options.AutoReplenishment = true;
            });
            
            rateLimiterOptions.AddFixedWindowLimiter(policyName: "fixed2", options =>
            {
                options.PermitLimit = 5;
                options.Window = TimeSpan.FromSeconds(10);
                options.AutoReplenishment = true;
            });

In the code snippet above, we have configured 2 fixed window limiters with different settings, and different policy names ("fixed1" and "fixed2"). We can apply these policies to specific endpoints within Umbraco using the same UmbracoPipelineFilter:

ApiRateLimiterComposer.cs

                    // Applying EnableRateLimitingAttribute to specific endpoint
                    postRouting.Use(async (context, next) =>
                    {
                        // Limit specific controller(s)
                        var controllerName = ControllerExtensions.GetControllerName<AuthenticationController>();
                        var actionName = nameof(AuthenticationController.PostRequestPasswordReset);

                        var currentEndpoint = context.GetEndpoint();
                        var actionDescriptor = currentEndpoint?.Metadata.GetMetadata<ControllerActionDescriptor>();

                        // Apply rate limiting logic based on your conditions
                        if (currentEndpoint is not null &&
                            actionDescriptor is not null &&
                            actionDescriptor.ControllerName == controllerName &&
                            actionDescriptor.ActionName == actionName)
                        {
                            // Apply rate limiting logic based on your conditions
                            
                            // Add Attribute to endpoint's metadata
                            var endpointMetadataCollection = new EndpointMetadataCollection(
                                new List<object>(currentEndpoint.Metadata)
                                {
                                    new EnableRateLimitingAttribute("fixed1")
                                });

                            // Update endpoint
                            var updatedEndpoint = new Endpoint(
                                currentEndpoint.RequestDelegate,
                                endpointMetadataCollection,
                                currentEndpoint.DisplayName);

                            context.SetEndpoint(updatedEndpoint);
                        }

                        await next.Invoke();
                    });

This part of the code shows how to apply the fixed1 policy to the AuthenticationController.PostRequestPasswordReset endpoint, responsible for handling password reset requests. We can do that by dynamically modifying the endpoint's metadata - attaching the EnableRateLimitingAttribute with the name of the policy which needs to be applied. This enables us to enforce the defined rate limits on a particular endpoint.

For your reference, here is the complete ApiRateLimiterComposer.cs implementation.

ApiRateLimiterComposer.cs

using System.Threading.RateLimiting;
using Microsoft.AspNetCore.Mvc.Controllers;
using Microsoft.AspNetCore.RateLimiting;
using Umbraco.Cms.Core.Composing;
using Umbraco.Cms.Web.BackOffice.Controllers;
using Umbraco.Cms.Web.Common.ApplicationBuilder;

namespace Umbraco.Docs.Samples;

public class ApiRateLimiterComposer : IComposer
{
    public void Compose(IUmbracoBuilder builder)
    {
        // Register the rate limiting services
        builder.Services.AddRateLimiter(rateLimiterOptions =>
        {
            // Default is 503 (Service Unavailable)
            rateLimiterOptions.RejectionStatusCode = StatusCodes.Status429TooManyRequests;

            // Use GlobalLimiter for all requests
            // rateLimiterOptions.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(httpContext =>
            // {
            //     return RateLimitPartition.GetFixedWindowLimiter(
            //         partitionKey: httpContext.Request.Headers.Host.ToString(),
            //         partition => new FixedWindowRateLimiterOptions
            //         {
            //             PermitLimit = 2,
            //             Window = TimeSpan.FromSeconds(10),
            //             AutoReplenishment = true
            //         });
            // });

            // Add specific rate limiting policies
            rateLimiterOptions.AddFixedWindowLimiter(policyName: "fixed1", options =>
            {
                options.PermitLimit = 2;
                options.Window = TimeSpan.FromSeconds(10);
                options.AutoReplenishment = true;
            });
            
            rateLimiterOptions.AddFixedWindowLimiter(policyName: "fixed2", options =>
            {
                options.PermitLimit = 5;
                options.Window = TimeSpan.FromSeconds(10);
                options.AutoReplenishment = true;
            });
        });

        builder.Services.Configure<UmbracoPipelineOptions>(options =>
        {
            options.AddFilter(new UmbracoPipelineFilter("UmbracoApiRateLimiter")
            {
                PostRouting = postRouting =>
                {
                    // Applying EnableRateLimitingAttribute to specific endpoint
                    postRouting.Use(async (context, next) =>
                    {
                        // Limit specific controller(s)
                        var controllerName = ControllerExtensions.GetControllerName<AuthenticationController>();
                        var actionName = nameof(AuthenticationController.PostRequestPasswordReset);

                        var currentEndpoint = context.GetEndpoint();
                        var actionDescriptor = currentEndpoint?.Metadata.GetMetadata<ControllerActionDescriptor>();
                        
                        // Apply rate limiting logic based on your conditions
                        if (currentEndpoint is not null &&
                            actionDescriptor is not null &&
                            actionDescriptor.ControllerName == controllerName &&
                            actionDescriptor.ActionName == actionName)
                        {   
                            // Add EnableRateLimiting attribute to endpoint's metadata
                            var endpointMetadataCollection = new EndpointMetadataCollection(
                                new List<object>(currentEndpoint.Metadata)
                                {
                                    new EnableRateLimitingAttribute("fixed1")
                                });

                            // Update endpoint
                            var updatedEndpoint = new Endpoint(
                                currentEndpoint.RequestDelegate,
                                endpointMetadataCollection,
                                currentEndpoint.DisplayName);

                            context.SetEndpoint(updatedEndpoint);
                        }

                        await next.Invoke();
                    });

                    // Apply the RateLimitingMiddleware
                    // Must be called after UseRouting()
                    postRouting.UseRateLimiter();
                }
            });
        });
    }
}

BackOfficeUserManager and Events

The BackOfficeUserManager is the ASP.NET Core Identity UserManager implementation in Umbraco. It exposes APIs for working with Umbraco User's via the ASP.NET Core Identity including password handling.

Extending

The BackOfficeUserManager can be replaced during startup in order to use your own implementation. This may be required if you want to extend the functionality of the BackOfficeUserManager for things like supporting two-factor authentication(2FA).

Example

You can replace the BackOfficeUserManager in the startup class by using the SetBackOfficeUserManager extension on the IUmbracoBuilder.

builder.CreateUmbracoBuilder()
    .AddBackOffice()
    .AddWebsite()
    .AddDeliveryApi()
    .AddComposers()
    .SetBackOfficeUserManager<CustomBackOfficeUserManager>()
    .Build();

You can then implement your custom BackOfficeUserManager, like this. Note the constructor minimum needs to inject what is required for the base BackOfficeUserManager class:

 public class CustomBackOfficeUserManager : BackOfficeUserManager
{
    public CustomBackOfficeUserManager(
        IIpResolver ipResolver,
        IUserStore<BackOfficeIdentityUser> store,
        IOptions<BackOfficeIdentityOptions> optionsAccessor,
        IPasswordHasher<BackOfficeIdentityUser> passwordHasher,
        IEnumerable<IUserValidator<BackOfficeIdentityUser>> userValidators,
        IEnumerable<IPasswordValidator<BackOfficeIdentityUser>> passwordValidators,
        BackOfficeErrorDescriber errors,
        IServiceProvider services,
        IHttpContextAccessor httpContextAccessor,
        ILogger<CustomBackOfficeUserManager> logger,
        IOptions<UserPasswordConfigurationSettings> passwordConfiguration,
        IEventAggregator eventAggregator,
        IBackOfficeUserPasswordChecker backOfficeUserPasswordChecker)
        : base(
            ipResolver,
            store,
            optionsAccessor,
            passwordHasher,
            userValidators,
            passwordValidators,
            errors,
            services,
            httpContextAccessor,
            logger,
            passwordConfiguration,
            eventAggregator,
            backOfficeUserPasswordChecker)
    {
    }

    //Override whatever you need, e.g. SupportsUserTwoFactor.
    public override bool SupportsUserTwoFactor => false;
}

Notifications

There are many notifications you can handle on the BackOfficeUserManager. Internally these are mainly used for auditing but there are some that allow you to customize some workflows:

SendEmailNotification
- This is a generic notification but it has a property EmailType that specify the email type. This type can be UserInvite. In that case, it allows you to take control over how a user in the backoffice is invited. This might be handy if you are using an External Login Provider that has the DenyLocalLogin option assigned and you still want to have the user invite functionality available. In this setup, all of your users are controlled by your external login provider so you would need to handle the user invite flow yourself by using this event and inviting the user via your external provider. If you are using this event to replace the default functionality you will need to tell Umbraco that you've handled the invite by calling the SendEmailNotification.HandleEmail() method.)
UserLogoutSuccessNotification
- This is specifically used if you have an External Login Provider in use and you want to log out of that external provider when the user is logged out of the backoffice (that is log out of everywhere). The notification has a property SignOutRedirectUrl. If this property is assigned then Umbraco will redirect to that URL upon successful backoffice sign out in order to sign the user out of the external login provider.

Cookies

The cookies listed in this article are required only for accessing the Backoffice. You can include these in your own cookie policy, if you wish.

Necessary Cookies

The below cookies are necessary for accessing the Umbraco Backoffice and functioning of the website. They allow you to enjoy the contents and services you request.

Name

Purpose

Expiration

The UMB_SESSION cookie is secure if you are using HTTPS pages. However, if you wish to secure the cookie in your code, add the following in the Program.cs file after Build();

builder.Services.AddSession(options =>
    {
        options.Cookie.Name = "UMB_SESSION";
        options.Cookie.HttpOnly = true;
        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
    });

For information on the rest of the cookies, see the Constants-Web.cs file on Github.

Replacing the basic username/password check

Having the ability to replace the logic to validate a username and password against a custom data store is important to some developers. Normally in ASP.Net Core Identity this would require you to override the UmbracoBackOfficeUserManager.CheckPasswordAsync implementation and then replace the UmbracoBackOfficeUserManager with your own class during startup. Since this is a common task we've made this process a lot easier with an interface called IBackOfficeUserPasswordChecker.

Here are the steps to specify your own logic for validating a username and password for the backoffice:

Create an implementation of Umbraco.Cms.Core.Security.IBackOfficeUserPasswordChecker
- There is one method in this interface: Task<BackOfficeUserPasswordCheckerResult> CheckPasswordAsync(BackOfficeIdentityUser user, string password);
- The result of this method can be 3 things:
  - ValidCredentials = The credentials entered are valid and the authorization should proceed
  - InvalidCredentials = The credentials entered are not valid and the authorization process should return an error
  - FallbackToDefaultChecker = This is an optional result which can be used to fallback to Umbraco's default authorization process if the credentials could not be verified by your own custom implementation
For example, to always allow login when the user enters the password test you could do:
```
using System.Threading.Tasks;
using Umbraco.Core.Models.Identity;
using Umbraco.Core.Security;

namespace MyNamespace;

public class MyPasswordChecker : IBackOfficeUserPasswordChecker
{
    public Task<BackOfficeUserPasswordCheckerResult> CheckPasswordAsync(BackOfficeIdentityUser user, string password)
    {
        var result = (password == "test")
            ? Task.FromResult(BackOfficeUserPasswordCheckerResult.ValidCredentials)
            : Task.FromResult(BackOfficeUserPasswordCheckerResult.InvalidCredentials);

        return result;
    }
}
```

builder.CreateUmbracoBuilder()
.AddBackOffice()
.AddWebsite()
.AddDeliveryApi()
.AddComposers()
.Build();

builder.Services.AddUnique<IBackOfficeUserPasswordChecker, MyPasswordChecker>();

If the username entered in the login screen does not exist in Umbraco, then MyPasswordChecker() does not run. Instead, Umbraco will immediately fall back to its internal checks, which is the default Umbraco behavior.

External login providers

Umbraco supports supports external login providers (OAuth) for performing authentication of your users and members.

Both the Umbraco backoffice users and website members support external login providers (OAuth) for performing authentication. This could be any OpenIDConnect provider such as Entra ID/Azure Active Directory, Identity Server, Google, or Facebook.

Unlike previous major releases of Umbraco the use of the Identity Extensions package is no longer required.

Install an appropriate Nuget package for the provider you wish to use. Some popular ones found in Nuget include:

Try it out

Umbraco OpenIdConnect Example [Community-made]

This community-created package with a complete Umbraco solution incl. an SQLite database demonstrates how OpenID Connect can be used: .

It is great for testing and for trying out the implementation before building it into your own project.

This project is not managed or maintained by Umbraco HQ.

Umbraco Entra ID (Azure AD) Example [Community-made]

This community-created package will allow you to automatically create Umbraco user accounts for users in your directory. This will then associate the Umbraco users with groups based on their AD group: .

This project is not managed or maintained by Umbraco HQ.

Extend core functionality

When you are implementing your own custom authentication on Users and/or Members on your Umbraco CMS website, you are effectively extending existing features.

The process requires adding a couple of new classes (.cs files) to your Umbraco project:

To register these two classes in Umbraco CMS you need to add them to the Program.cs file.

Auto-linking

Traditionally, a backoffice User or frontend Member will need to exist in Umbraco first. Once they exist there, they can link their user account to an external login provider.

In many cases, however, the external login provider you install will be the source of truth for all of your users and members.

In this case, you will want to provide a Single Sign On (SSO) approach to logging in. This would enable the creating of user accounts on the external login provider and then automatically give them access to Umbraco. This is called auto-Linking.

Local logins

When have auto-linking configured, then any auto-linked user or member will have an empty password assigned. This means that they will not be able to log in locally (via username and password). In order to log in locally, they will have to assign a password to their account in the backoffice or the edit profile page.

For users specifically, if the DenyLocalLogin option is enabled, all password-changing functionality in the backoffice is disabled and local login is not possible.

Transferring Claims from External identities

In some cases, you may want to flow a Claim returned in your external login provider to the Umbraco backoffice identity's Claims. This could be the authentication cookie. Flowing Claims between the two can be done during the OnAutoLinking and OnExternalLogin.

The reason for wanted to flow a Claim could be to store the external login provider user ID into the backoffice identity cookie. It can then be retrieved on each request to look up data in another system needing the current user ID from the external login provider.

Example

This is a simplistic example of brevity including no null checks, etc.

In some cases, you may need to persist data from your external login provider like Access Tokens, etc.

You can persist this data to the affiliated user's external login data via the IExternalLoginWithKeyService. The void Save(Guid userOrMemberKey,IEnumerable<IExternalLoginToken> tokens) overload takes a new model of type IEnumerable<IExternalLogin>.

IExternalLogin contains a property called UserData. This is a blob text column which can store any arbitrary data for the external login provider.

Be aware that the local Umbraco user must already exist and be linked to the external login provider before data can be stored here. In cases where auto-linking occurs and the user isn't yet created, you need to store the data in memory first during auto-linking. Then you can persist the data to the service once the user is linked and created.

Auto-linking on backoffice authentication

For some providers, it does not make sense to use auto-linking. This is especially true for public providers such as Google or Facebook.

In those cases, it would mean that anyone who has a Google or Facebook account can log into your site.

If auto-linking for public providers such as these was needed you would need to limit the access. This can be done by domain or other information provided in the claims using the options/callbacks specified in those provider's authentication options.

Auto-linking on Member authentication

Auto-linking on Member authentication only makes sense if you have a public member registration already or the provider does not have public account creation.

Generic examples

The following section presents a series of generic examples.

"Provider" is used to replace place of the names of actual external login providers. When you implement your own custom authentication, you will need to use the correct method names for the chosen provider.

Custom-named configuration

The configuration file is used to configure a handful of different options for the authentication setup. A generic example of such file is shown below.

In earlier versions of Umbraco up to version 12, the options included only a "ButtonStyle" property to style the button. In version 13+ the default button is now rendered using the Umbraco UI library. This means that the "ButtonStyle" property has been deprecated and should not be used. You can override the default styling of the button by using the "ButtonColor" and "ButtonLook" properties. We recommend leaving these properties empty to use the default styling. The default styling will give your users an optimal login experience.

Icons

If you want to use a custom icon for the login button, you need to add the icon to the Umbraco backoffice. You can do this by adding the icon to the ~/App_Plugins/MyPlugin/BackOffice/Icons folder. The icon should be a SVG file. The icon should be named the same as the icon name you specify in the options.Icon property.

Advanced properties

Additionally, more advanced custom properties can be added to the BackOfficeExternalLoginProviderOptions.

BackOfficeExternalLoginProviderOptions.CustomBackOfficeView

In earlier versions of Umbraco up to version 12, this property had to define an AngularJS HTML view. This is no longer the case. You can now define a JavaScript module to render a Custom Element instead of the default external login button.

It is still supported to load an HTML file as a view. However, Umbraco no longer supports AngularJS and the HTML file will be loaded into the DOM as-is. You will have to implement all the logic yourself.

You want to display something different where external login providers are listed: in the login screen vs the backoffice panel vs on the logged-out screen. This same view will render in all of these cases but you can use the current route parameters to customize what is shown.
You want to change how the button interacts with the external login provider. For example, instead of having the site redirect on button-click, you want to open a popup window to load the external login provider.

The path to the custom view is a virtual path, like this example: "~/App_Plugins/MyPlugin/BackOffice/my-external-login.js".

When a custom view is specified it is 100% up to this module to perform all required logic.

The module should define a Custom Element and export it as default. The Custom Element can optionally declare a number of properties to be passed to it. These properties are:

providerName: The name of the provider. This is the same name as the provider's scheme name.
displayName: The display name of the provider. This is the same display name as the provider's display name.
externalLoginUrl: The URL to redirect to when the button is clicked.
userViewState: The current view state of the user. This can be one of the following values:
- loggingIn: The user is on the login screen.
- loggedIn: The user is on the backoffice panel.
- loggedOut: The user clicked the logout button and is on the logged-out screen.
- timedOut: The user's session has timed out and they are on the timed-out screen.

TypeScript

If you use TypeScript, you can use this interface to define the properties:

Examples

The Custom Element can be implemented in a number of ways with many different libraries or frameworks. The following examples show how to make a button appear and redirect to the external login provider. You will learn how to use the externalLoginUrl property to redirect to the external login provider. The login form should look like this when you open Umbraco:

When you click the button, the form will submit a POST request to the externalLoginUrl property. The external login provider will then redirect back to the Umbraco site with the user logged in.

We have to define a template first and then the custom element itself. The template is a small HTML form with a button. The button will submit the form to the externalLoginUrl property. The custom element will then render the template and attach it to the shadow DOM and wire up the externalLoginUrl property in the connectedCallback method.

Static extension class

The extension class is required to extend on the default authentication implementation in Umbraco CMS. A generic example of such extension class can be seen below.

Locking of Users and password reset

It's impossible to brute force the authentication on the login screen because after MaxFailedAccessAttemptsBeforeLockout the account of the user will be locked, and until that account is unlocked in the Users section, no attempt will succeed.

When you submit the password reset form, an email is sent to the user with a link. This link contains a random token for this user that is valid for 24 hours.

The settings AllowPasswordReset is documented in the Umbraco Security Settings and e-mail configuration settings in Backoffice Login Password Reset Section

Password reset of a non-existing user

If the user that is specified in the form does not exist, no e-mail will be sent and there will be no response in the form that this user does not exist. This is done to prevent leaking which users have an account.

Password reset of a locked user

If a user is locked out, it is possible to do a password reset. After the e-mail with the password reset link is followed, the user will still be locked out unless the user has specified the new password, in which case the user will automatically be unlocked.

Reset admin user password

If you lost the admin user password and you need to reset it, check this article.

Reset admin password

There is one default admin user in any Umbraco installation. This is the first user of the system.

Step one: Clear the connection string status in configuration

The first step is to clear the connection string to the database in the configuration. This is done to trigger the installation wizard.

That means that in your appsettings configuration files it should look like this:

Note that configuration can be read from many sources

Remember to check this connection string is not provided through environment variables or other configuration sources.

Step Two: Run the installer

If you now open your browser and surf to the website, you will see that the installer launches. Enter your new details, and use the original connection string. You are good to go.

Make sure you protect a production websites from being highjacked as anyone will be able to reset the password during the last step. This does also work if your site is in an upgrading state.

Umbraco Security Hardening

Here you find some tips and trick for hardening the security of your Umbraco installation.

Lock down access to your Umbraco folder (IIS)

It’s considered a good practice to lock down the Umbraco folder to specific IP addresses and/or IP ranges to ensure this folder is not available to everyone.

The prerequisite of this to work is that you’re using

If you’ve made sure that you’ve installed this on your server we can start locking down our Umbraco folder. This can be down by following these three steps.

We are going to lock down /Umbraco/, but because API-controllers and Surface-controller will use the path /umbraco/api/ and /umbraco/surface/ these will also be locked down. Our first rule in the IISRewrite.config will be used to make sure that these are not locked by IP-address.

Some older versions of Umbraco also relied on /umbraco/webservices/ for loadbalancing purposes. If you're loadbalancing you should also add umbraco/webservices to the rule.

Get the IP-addresses of your client and write these down like a regular expression. If the IP-addresses are for example 213.3.10.8 and 88.4.43.108 the regular expression would be "213.3.10.8|88.4.43.108".
Lock down the Umbraco folder by putting this rule into your IISRewrite-rules

If your server is behind a load balancer, you should use {HTTP_X_FORWARDED_FOR} instead of {REMOTE_ADDR} as the input for the rule.

If you now go to /umbraco/ from a different IP-address the login screen will not be rendered.

Umbraco Security Settings

Password settings

The settings for Umbraco passwords are configurable in appsettings. There are two different configuration objects - One for Umbraco Members and one for Users.

For more information see the .

Password reset settings

Umbraco backend users can , or if they try too much, have a locked out account.

To deactivate the User password reset look at the section.

To configure password reset verify the section.

Other security settings

If set to false this can be used to try to render pages in a way that they are not supposed to
If set to false this can be used to do an enumeration of the nodes in your website and find hidden pages.
Umbraco Forms: and DisableFormCaching

Sensitive data

Marking fields and properties on member data as sensitive will hide the data in those fields for backoffice users that are not privy to the data.

In this article, you will get an overview of how you can grant and/or deny your users access to sensitive data as well as how to mark data as sensitive.

Grant or deny access to sensitive data

Every new Umbraco installation ships with a default set of User Groups. One of them is the Sensitive data User Group. To give users in the backoffice access to view and work with sensitive data, they need to be part of the Sensitive Data User Group.

Any users who are not part of the Sensitive Data User Group, will not be able to see the data in the properties that are marked as sensitive. Instead, they will see a generic message: "This value is hidden. If you need access to view this value please contact your website administrator."

While not part of the Sensitive Data User Group it is also not possible to export members or member data.

Follow these steps in order to grant a user access to sensitive data:

Navigate to the Users section in the Umbraco backoffice.
Ensure that Users are selected from the Users tree.
Select the Groups menu in the top-right corner.
Choose the Sensitive data group.

Click Add in the Users box on the right.
Select the users you want to give access to the sensitive data.
Click Submit.
Save the User Group.

The users you have added to the Sensitive Data User Group will now be able to:

See member data that has been marked as sensitive,
Mark data and properties on Member Types as sensitive, and
Export members and member data.

Marking data as sensitive

Once your user is added to the Sensitive Data User Group, you have access to add and configure member properties containing sensitive data.

Follow the steps below to mark data as sensitive.

Navigate to the Settings section in the Umbraco backoffice.
Open the Member Types in the Settings tree.
Select the Member Type you wish to edit.
Add a property or configure an existing property.
Locate the Is sensitive data option at the bottom of the Property settings dialog.
Click to enable.
Click Submit to update the property configuration.
Click Save to save the changes on the Member Type.

When the Is sensitive data option is enabled, the value and data in the property will only be visible to the users with access to sensitive data.

Sanitizing the Rich Text Editor

This section describes how to sanitize the Rich Text Editor serverside

The Rich Text Editor is sanitized on the frontend by default, however, you may want to do this serverside as well. The libraries that are out there tend to have strict dependencies. That is why we will leave it up to you how you want to sanitize the HTML.

Implementing your own IHtmlSanitizer

We have added an abstraction called IHtmlSanitizer, which by default does nothing. You can override it with your own implementation to handle sanitization as you see fit. This interface has a single method: string Sanitize(string html). The output of this method is what will be stored in the database when you save a Rich Text Editor.

To add your own sanitizer you must first create a class the implements the interface:

The Sanitize method in this implementation is where you can use a library. You could also use your own sanitizer implementation, to sanitize the Rich Text Editor input.

Now that you've added your own custom IHtmlSanitizer you must register it in the container to replace the existing NoOp sanitizer.

You can register it directly in the Program.cs or use a composer.

The extension method could look like the following:

The extension can then be invoked in the CreateUmbracoBuilder() builder chain in the Program.cs file:

Or you can use a Composer:

With your custom sanitizer in place the Rich Text Editor will always contain the "Sanitized HTML" heading. This shows that everything is working as expected, and that whatever your sanitizer returns is what will be saved.

Setup Umbraco for a FIPS Compliant Server

This tutorial walks through configuring Umbraco and Lucene to be FIPS compliant and serve up websites on a server with FIPS enabled.

FIPS should only be added for compliance. It is not a recommended approach for added security. For more information read Why Microsoft is not recommending "FIPS Mode" anymore.

What is FIPS?

The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), is a U.S. government computer security standard used to define approved cryptographic modules. The FIPS 140 standard also sets forth requirements for key generation and for key management.

Microsoft Windows has a "FIPS mode" of operation where it detects the cryptographic algorithms used by software running on it and will throw exceptions if it detects the use of non-FIPS compliant algorithms. Using MD5 hashing is generally the biggest culprit of issues running on FIPS enabled servers.

How can I test my site with FIPS enabled?

FIPS can be enabled through your Local Group Policy, Registry Setting, or Network Adapter setting. For more information about how to enable FIPS mode on Windows see this tutorial: How-to Enable FIPS on Windows

What version of Umbraco is FIPS compliant?

Umbraco 7.6.4+ has implemented checks for when FIPS mode is enabled on the server that it is installed on. When FIPS mode is detected, the cryptographic algorithms for hashing are changed to a FIPS compliant algorithm. When FIPS mode is disabled, then Umbraco uses backward compatible algorithms (MD5) so as not to affect existing installs. As of Umbraco version 7.6.4, the FIPS compliant cryptographic algorithm used is SHA1.

Umbraco 9.0.0 and key dependencies are FIPS compliant

Since Umbraco 9, the dependency to Lucene.NET is updated to version 4+. Thereby are both Umbraco and all key dependencies FIPS compliant.

FAQ

Can I install Umbraco directly on a version of Windows with FIPS mode enabled?

Installing to the FIPS server may not work. It's best to deploy an existing known working version to the FIPS server.

HTTPS

This article covers the recommended way of working with HTTPS and Umbraco CMS.

We highly encourage the use of HTTPS on Umbraco websites especially in production environments. By using HTTPS you greatly improve the security of your website.

There are multiple benefits of HTTPS:

Trust - when your site is delivered over HTTPS your users will see that your site is secured, they are able to view the certificate assigned to your site and know that your site is legitimate
Removing an attack vector called "Man in the middle" (or network Sniffing)
Guards against Phishing, an attacker will have a hard time obtaining an authentic Secure Sockets Layer (SSL) certificate
Google likes HTTPS, it may help your site's rankings

Another benefits of HTTPS is that you are able to use the http2 protocol if your web server and browser support it.

Set UseHttps configuration option

Umbraco allows you to force HTTPS for all backoffice communications by using the following configuration:

In Umbraco 9, set the UseHttps key in appSettings to true.

{
    "Umbraco": {
        "CMS": {
            "Global": {
                "UseHttps": true
            }
        }
    }
}

This options does multiple things when it is turned on:

Ensures that the backoffice authentication cookie is set to secure only (so it can only be transmitted over https)
All non-https requests to any backoffice controller is redirected to https
All self delivered Umbraco requests (those are scheduled publishing, keep alive, etc...) are performed over https
All Umbraco notification emails with links generated have https links
All authorization attempts for backoffice handlers and services will be denied if the request is not over https

Redirect traffic in code

The .NET5+ way to handle this, is by adding this HttpsRedirectionMiddleware to your pipeline in Program.cs. This can be done by adding app.UseHttpsRedirection(); before the call to app.UseUmbraco() in the Configure method:

app.UseHttpsRedirection();

    app.UseUmbraco()
        .WithMiddleware(u =>
        {
            u.UseBackOffice();
            u.UseWebsite();
        })
        .WithEndpoints(u =>
        {
            u.UseInstallerEndpoints();
            u.UseBackOfficeEndpoints();
            u.UseWebsiteEndpoints();
        });

Redirect traffic on IIS

Once you enable HTTPS for your site you should redirect all requests to your site to HTTPS. This can be done with an IIS rewrite rule. The IIS rewrite module needs to be installed for this to work, most hosting providers will have that enabled by default.

In your web.config find or add the <system.webServer><rewrite><rules> section and put the following rule in there. This rule will redirect all requests for the site http://mysite.com URL to the secure https://mysite.com URL and respond with a permanent redirect status.

<rule name="HTTP to HTTPS redirect" stopProcessing="true">
    <match url="(.*)" />
    <conditions>
        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
        <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
    </conditions>
    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>

The rule includes an ignore for localhost. If you run your local environment on a different URL than localhost you can add additional ignore rules. Additionally, if you have a staging environment that doesn't run on HTTPS, you can add that to the ignore rules too.

SSL versus Transport Layer Security (TLS)

In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or, formerly, its predecessor, Secure Sockets Layer (SSL) - wikipedia

While the deprecated SSL (2.0 and 3.0) are not supported anymore by modern browsers, some of the Umbraco configuration still uses SSL. But rest assured, that is only the name.

Server-side file validation

This section describes how you can implement File Validation

Sometimes it might be necessary to validate the contents of a file before it gets saved to disk when uploading trough the backoffice.

To help with this, Umbraco supplies a FileStreamSecurityValidator that runs all registered IFileStreamSecurityAnalyzer implementations on the file streams it receives from it's different file upload endpoints. When any of the analyzers deem the file to be unsafe, the endpoint disregards the file and shows a relevant validation message where appropriate. This all happens in memory before the stream is written to a temporary file location.

Implementing a FileStreamSecurityValidator

The IFileStreamSecurityAnalyzer needs a single method to be implemented:

IsConsideredSafe: This method should return false if the analyzer finds a reason not to trust the file

Example FileStreamSecurityAnalyzer

The following class shows how one could potentially guard against Cross-site scripting(XSS) vulnerabilities in an svg file.

public class SvgXssSecurityAnalyzer : IFileStreamSecurityAnalyzer
    {
        public bool ShouldHandle(Stream fileStream)
        {
            // reduce memory footprint by partially reading the file
            var startBuffer = new byte[256];
            var endBuffer = new byte[256];
            fileStream.Read(startBuffer);
            if (endBuffer.Length > fileStream.Length)
                fileStream.Seek(0, SeekOrigin.Begin);
            else
                fileStream.Seek(fileStream.Length - endBuffer.Length, SeekOrigin.Begin);
            fileStream.Read(endBuffer);
            var startString = System.Text.Encoding.UTF8.GetString(startBuffer);
            var endString = System.Text.Encoding.UTF8.GetString(endBuffer);
            return startString.Contains("<svg")
                   && startString.Contains("xmlns=\"http://www.w3.org/2000/svg\"")
                   && endString.Contains("/svg>");
        }

        public bool IsConsideredSafe(Stream fileStream)
        {
            var streamReader = new StreamReader(fileStream); // do not use a using as this will dispose of the underlying stream
            var fileContent = streamReader.ReadToEnd();
            return !(fileContent.Contains("<script") && fileContent.Contains("/script>"));
        }
    }

You can register it during startup or with a composer.

This is an example of registering the class with a composer:

public class ServerSideValidationComposer : IComposer
    {
        public void Compose(IUmbracoBuilder builder)
        {
            builder.Services.AddSingleton<IFileStreamSecurityAnalyzer, SvgXssSecurityAnalyzer>();
        }
    }

Then you can upload a file with the following content to the backoffice and see that it is not persisted.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('xss');
   </script>
</svg>

External login providers

Umbraco supports supports external login providers (OAuth) for performing authentication of your users and members.

Unlike previous major releases of Umbraco the use of the Identity Extensions package is no longer required.

Install an appropriate Nuget package for the provider you wish to use. Some popular ones found in Nuget include:

Try it out

Umbraco OpenIdConnect Example [Community-made]

This community-created package with a complete Umbraco solution incl. an SQLite database demonstrates how OpenID Connect can be used: .

It is great for testing and for trying out the implementation before building it into your own project.

This project is not managed or maintained by Umbraco HQ.

Umbraco Entra ID (Azure AD) Example [Community-made]

This project is not managed or maintained by Umbraco HQ.

Extend core functionality

When you are implementing your own custom authentication on Users and/or Members on your Umbraco CMS website, you are effectively extending existing features.

The process requires adding a couple of new classes (.cs files) to your Umbraco project:

Custom-named configuration to add additional configuration for handling different options related to the authentication.
A static extention class to extend on the default authentication implementation in Umbraco CMS for either Users or Members.

To register these two classes in Umbraco CMS you need to add them to the Program.cs file.

It is also possible to register the configuration class directly into the extension class. See examples of how this is done in the .

Auto-linking

Traditionally, a backoffice User or frontend Member will need to exist in Umbraco first. Once they exist there, they can link their user account to an external login provider.

In many cases, however, the external login provider you install will be the source of truth for all of your users and members.

Local logins

For users specifically, if the DenyLocalLogin option is enabled, all password-changing functionality in the backoffice is disabled and local login is not possible.

Transferring Claims from External identities

Do not flow large amounts of data into the backoffice identity. This information is stored in the backoffice authentication cookie and cookie limits will apply. Data like Json Web Tokens (JWT) needs to be somewhere to be looked up and not stored within the backoffice identity itself.

Example

This is a simplistic example of brevity including no null checks, etc.

OnAutoLinking = (user, loginInfo) => {
    // You can customize the user before it's linked.
    // i.e. Modify the user's groups based on the Claims returned
    // in the externalLogin info
    var extClaim = externalLogin
        .Principal
        .FindFirst("MyClaim");
    user.Claims.Add(new IdentityUserClaim<string>
    {
        ClaimType = extClaim.Type,
        ClaimValue = extClaim.Value,
        UserId = user.Id
    });
},
OnExternalLogin = (user, loginInfo) => {
    // You can customize the user before it's saved whenever they have
    // logged in with the external provider.
    // i.e. Sync the user's name based on the Claims returned
    // in the externalLogin info
    var extClaim = externalLogin
        .Principal
        .FindFirst("MyClaim");
    user.Claims.Add(new IdentityUserClaim<string>
    {
        ClaimType = extClaim.Type,
        ClaimValue = extClaim.Value,
        UserId = user.Id
    });
    return true;
}

In some cases, you may need to persist data from your external login provider like Access Tokens, etc.

IExternalLogin contains a property called UserData. This is a blob text column which can store any arbitrary data for the external login provider.

Auto-linking on backoffice authentication

For some providers, it does not make sense to use auto-linking. This is especially true for public providers such as Google or Facebook.

In those cases, it would mean that anyone who has a Google or Facebook account can log into your site.

Auto-linking on Member authentication

Auto-linking on Member authentication only makes sense if you have a public member registration already or the provider does not have public account creation.

Generic examples

The following section presents a series of generic examples.

Custom-named configuration

The configuration file is used to configure a handful of different options for the authentication setup. A generic example of such file is shown below.

ProviderBackOfficeExternalLoginProviderOptions.cs

using Microsoft.Extensions.Options;
using Umbraco.Cms.Core;
using Umbraco.Cms.Web.BackOffice.Security;

namespace MyUmbracoProject.CustomAuthentication;

public class ProviderBackOfficeExternalLoginProviderOptions : IConfigureNamedOptions<BackOfficeExternalLoginProviderOptions>
{
    public const string SchemeName = "OpenIdConnect";
    public void Configure(string name, BackOfficeExternalLoginProviderOptions options)
    {
        if (name != Constants.Security.BackOfficeExternalAuthenticationTypePrefix + SchemeName)
        {
            return;
        }

        Configure(options);
    }

    public void Configure(BackOfficeExternalLoginProviderOptions options)
    {
        // Customize the login button
        options.Icon = "icon-cloud";

        // The following options are relevant if you
        // want to configure auto-linking on the authentication.
        options.AutoLinkOptions = new ExternalSignInAutoLinkOptions(

            // Set to true to enable auto-linking
            autoLinkExternalAccount: true,

            // [OPTIONAL]
            // Default: "Editor"
            // Specify User Group.
            defaultUserGroups: new[] { Constants.Security.EditorGroupAlias },

            // [OPTIONAL]
            // Default: The culture specified in appsettings.json.
            // Specify the default culture to create the User as.
            // It can be dynamically assigned in the OnAutoLinking callback.
            defaultCulture: null,

            // [OPTIONAL]
            // Disable the ability to link/unlink manually from within
            // the Umbraco backoffice.
            // Set this to false if you don't want the user to unlink
            // from this external provider.
            allowManualLinking: false
        )
        {
            // [OPTIONAL] Callback
            OnAutoLinking = (autoLinkUser, loginInfo) =>
            {
                // Customize the user before it's linked.
                // Modify the User's groups based on the Claims returned
                // in the external login info.
            },

            // [OPTIONAL] Callback
            OnExternalLogin = (user, loginInfo) =>
            {
                // Customize the User before it is saved whenever they have
                // logged in with the external provider.
                // Sync the Users name based on the Claims returned
                // in the external login info

                // Returns a boolean indicating if sign-in should continue or not.
                return true;
            }
        };

        // [OPTIONAL]
        // Disable the ability for users to login with a username/password.
        // If set to true, it will disable username/password login
        // even if there are other external login providers installed.
        options.DenyLocalLogin = false;

        // [OPTIONAL]
        // Choose to automatically redirect to the external login provider
        // effectively removing the login button.
        options.AutoRedirectLoginToExternalProvider = false;
    }
}

Icons

You can use the to see available icons.

ProviderMembersExternalLoginProviderOptions.cs

using Microsoft.Extensions.Options;
using Umbraco.Cms.Core;
using Umbraco.Cms.Web.Common.Security;

namespace MyUmbracoProject.CustomAuthentication;

public class ProviderMembersExternalLoginProviderOptions : IConfigureNamedOptions<MemberExternalLoginProviderOptions>
{
    public const string SchemeName = "OpenIdConnect";
    public void Configure(string? name, MemberExternalLoginProviderOptions options)
    {
        if (name != Constants.Security.MemberExternalAuthenticationTypePrefix + SchemeName)
        {
            return;
        }

        Configure(options);
    }

    public void Configure(MemberExternalLoginProviderOptions options)
    {
        // The following options are relevant if you
        // want to configure auto-linking on the authentication.
        options.AutoLinkOptions = new MemberExternalSignInAutoLinkOptions(

            // Set to true to enable auto-linking
            autoLinkExternalAccount: true,

            // [OPTIONAL]
            // Default: The culture specified in appsettings.json.
            // Specify the default culture to create the Member as.
            // It can be dynamically assigned in the OnAutoLinking callback.
            defaultCulture: null,

            // [OPTIONAL]
            // Specify the default "IsApproved" status.
            // Must be true for auto-linking.
            defaultIsApproved: true,

            // [OPTIONAL]
            // Default: "Member"
            // Specify the Member Type alias.
            defaultMemberTypeAlias: Constants.Security.DefaultMemberTypeAlias
        )
        {
            // [OPTIONAL] Callback
            OnAutoLinking = (autoLinkUser, loginInfo) =>
            {
                // Customize the Member before it's linked.
                // Modify the Members groups based on the Claims returned
                // in the external ogin info.
            },
            OnExternalLogin = (user, loginInfo) =>
            {
                // Customize the Member before it is saved whenever they have
                // logged in with the external provider.
                // Sync the Members name based on the Claims returned
                // in the external login info

                // Returns a boolean indicating if sign-in should continue or not.
                return true;
            }
        };
    }
}

Advanced properties

Additionally, more advanced custom properties can be added to the BackOfficeExternalLoginProviderOptions.

BackOfficeExternalLoginProviderOptions.CustomBackOfficeView

The CustomBackofficeView allows for specifying a JavaScript module to render a instead default external login button. Use this in case you want to change the UI or one of the following:

You want to display something different where external login providers are listed: in the login screen vs the backoffice panel vs on the logged-out screen. This same view will render in all of these cases but you can use the current route parameters to customize what is shown.
You want to change how the button interacts with the external login provider. For example, instead of having the site redirect on button-click, you want to open a popup window to load the external login provider.

The path to the custom view is a virtual path, like this example: "~/App_Plugins/MyPlugin/BackOffice/my-external-login.js".

When a custom view is specified it is 100% up to this module to perform all required logic.

The module should define a Custom Element and export it as default. The Custom Element can optionally declare a number of properties to be passed to it. These properties are:

providerName: The name of the provider. This is the same name as the provider's scheme name.
displayName: The display name of the provider. This is the same display name as the provider's display name.
externalLoginUrl: The URL to redirect to when the button is clicked.
userViewState: The current view state of the user. This can be one of the following values:
- loggingIn: The user is on the login screen.
- loggedIn: The user is on the backoffice panel.
- loggedOut: The user clicked the logout button and is on the logged-out screen.
- timedOut: The user's session has timed out and they are on the timed-out screen.

TypeScript

If you use TypeScript, you can use this interface to define the properties:

type UserViewState = 'loggingIn' | 'loggedIn' | 'loggedOut' | 'timedOut';

interface IExternalLoginCustomViewElement {
  displayName?: string;
  providerName?: string;
  externalLoginUrl?: string;
  userViewState?: UserViewState;
};

Examples

When you click the button, the form will submit a POST request to the externalLoginUrl property. The external login provider will then redirect back to the Umbraco site with the user logged in.

You have access to the in the custom element. You can use the components directly in your custom element.

~/App_Plugins/MyPlugin/BackOffice/my-external-login.js

const template = document.createElement('template');
template.innerHTML = `
  <style>
    :host {
      display: block;
      width: 100%;
    }
    #button {
      width: 100%;
    }
  </style>
  <form method="post" action="/404">
    <input type="hidden" name="provider" value="" />
    <h3>My Company's Provider</h3>
    <p>If you have signed up with MyProvider, you can sign in to Umbraco by clicking the button below.</p>
    <uui-button type="submit" id="button" look="primary">
      <uui-icon name="icon-cloud"></uui-icon>
      Sign in with MyProvider
    </uui-button>
  </form>
`;

export class MyCustomView extends HTMLElement {
  externalLoginUrl;

  constructor() {
    super();
    this.attachShadow({ mode: 'open' });
    this.shadowRoot.appendChild(template.content.cloneNode(true));
  }

  connectedCallback() {
    this.shadowRoot.querySelector('form').setAttribute('action', this.externalLoginUrl);
    this.shadowRoot.querySelector('input[name="provider"]').setAttribute('value', this.providerName);
  }
}

customElements.define('my-custom-view', MyCustomView);

export default MyCustomView;

It is also possible to use a library like to render the custom element. The following example shows how to use Lit to render the custom element. The custom element will render a form with a button. The button will submit the form to the externalLoginUrl property. We do not have to perform any logic in the connectedCallback method because Lit will automatically update the action attribute on the form when the externalLoginUrl property changes. We can even include other properties like displayName and providerName in the template without having to react to changes in those properties. Styling is also handled by Lit in the static styles property.

We are using Lit version 3 in this example imported directly from a JavaScript delivery network to keep the example slim. You can also use a bundler like to bundle the Lit library with your custom element.

~/App_Plugins/MyPlugin/BackOffice/my-external-login.js

import {LitElement, css, html} from 'https://cdn.jsdelivr.net/gh/lit/dist@3/core/lit-core.min.js';

class MyLitView extends LitElement {
  static get properties() {
    return {
      providerName: { type: String },
      displayName: { type: String },
      externalLoginUrl: { type: String },
      userViewState: { type: String }
    };
  }

  render() {
    return html`
      <form method="post" action=${this.externalLoginUrl}>
        <h3>My Company's Provider</h3>
        <p>If you have signed up with ${this.displayName}, you can sign in to Umbraco by clicking the button below.</p>
        <uui-button type="submit" id="button" look="primary">
          <uui-icon name="icon-cloud"></uui-icon>
          Sign in with ${this.displayName}
        </uui-button>
      </form>
    `;
  }

  static styles = css`
    :host {
      display: block;
      width: 100%;
    }
    #button {
      width: 100%;
    }
  `;
}

customElements.define('my-lit-view', MyLitView);

export default MyLitView;

Static extension class

The extension class is required to extend on the default authentication implementation in Umbraco CMS. A generic example of such extension class can be seen below.

ProviderBackofficeAuthenticationExtensions.cs

using Umbraco.Cms.Core.DependencyInjection;
using Umbraco.Extensions;
using Umbraco.Cms.Web.BackOffice.Security;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Configuration;

namespace MyUmbracoProject.CustomAuthentication;

public static class ProviderBackofficeAuthenticationExtensions
{
    public static IUmbracoBuilder AddProviderBackofficeAuthentication(this IUmbracoBuilder builder)
    {
        // Register ProviderBackOfficeExternalLoginProviderOptions here rather than require it in startup
        builder.Services.ConfigureOptions<ProviderBackOfficeExternalLoginProviderOptions>();

        builder.AddBackOfficeExternalLogins(logins =>
        {
            logins.AddBackOfficeLogin(
                backOfficeAuthenticationBuilder =>
                {
                    // The scheme must be set with this method to work for the back office
                    var schemeName =
                        backOfficeAuthenticationBuilder.SchemeForBackOffice(GoogleBackOfficeExternalLoginProviderOptions
                            .SchemeName);

                    ArgumentNullException.ThrowIfNull(schemeName);

                    backOfficeAuthenticationBuilder.AddProvider(
                        schemeName,
                        options =>
                        {
                            // Callback path: Represents the URL to which the browser should be redirected to.
                            // The default value is '/signin-provider'.
                            // The value here should match what you have configured in you external login provider.
                            // The value needs to be unique.
                            options.CallbackPath = "/umbraco-provider-signin";
                            options.ClientId = "YOURCLIENTID"; // Replace with your client id generated while creating OAuth client ID
                            options.ClientSecret = "YOURCLIENTSECRET"; // Replace with your client secret generated while creating OAuth client ID

                            // Example: Map Claims
                            // Relevant when using auto-linking.
                            options.GetClaimsFromUserInfoEndpoint = true;
                            options.TokenValidationParameters.NameClaimType = "name";

                            // Example: Add scopes
                            options.Scope.Add("email");
                        });
                });
        });
        return builder;
    }
}

ProviderMembersAuthenticationExtensions.cs

using Microsoft.Extensions.DependencyInjection;
using Umbraco.Cms.Core.DependencyInjection;
using Umbraco.Extensions;

namespace MyUmbracoProject.CustomAuthentication;

public static class ProviderMemberAuthenticationExtensions
{
    public static IUmbracoBuilder AddProviderMemberAuthentication(this IUmbracoBuilder builder)
    {
        // [OPTIONAL]
        // Register ProviderMembersExternalLoginProviderOptions here rather than require it in startup
        builder.Services.ConfigureOptions<ProviderMembersExternalLoginProviderOptions>();

        builder.AddMemberExternalLogins(logins =>
        {
            logins.AddMemberLogin(
                memberAuthenticationBuilder =>
                {
                    memberAuthenticationBuilder.AddProvider(
                        // The scheme must be set with this method to work for the back office
                        memberAuthenticationBuilder.SchemeForMembers(ProviderMembersExternalLoginProviderOptions.SchemeName),
                        options =>
                        {
                            // Callback path: Represents the URL to which the browser should be redirected to.
                            // The default value is `/signin-oidc`.
                            // The value here should match what you have configured in your external login provider.
                            // The value needs to be unique.
                            options.CallbackPath = "/umbraco-provider-signin";

                            options.ClientId = "YOURCLIENTID";
                            options.ClientSecret = "YOURCLIENTSECRET";

                                // Example: Save login tokens
                            options.SaveTokens = true;

                        });
                });
        });
        return builder;
    }
}

For a more in-depth article on how to set up OAuth providers in .NET refer to the .

Two-factor Authentication

Umbraco users and members support a two-factor authentication (2FA) abstraction for implementing a 2FA provider of your choice.

Two-factor authentication (2FA) for Umbraco members is activated by implementing an ITwoFactorProvider interface and registering the implementation. The implementation can use third-party packages to archive for example support for authentication apps like Microsoft- or Google Authentication App.

If you are using Umbraco Cloud, you can enable multi-factor authentication in Umbraco ID. For more information, see the Multi-Factor Authentication article.

Two-factor authentication for Members

Since Umbraco does not control how the UI is for member login and profile edit. The UI for 2FA is shipped as part of the snippets for macros. These can be used as a starting point, before styling the page as you would like.

Example implementation for Authenticator Apps for Members

In the following example, we will use the GoogleAuthenticator NuGet Package. Despite the name, this package works for both Google and Microsoft authenticator apps. It can be used to generate the QR code needed to activate the app for the website.

using System;
using System.Threading.Tasks;
using Google.Authenticator;
using Umbraco.Cms.Core.Security;
using Umbraco.Cms.Core.Services;

namespace My.Website;

/// <summary>
/// Model with the required data to setup the authentication app.
/// </summary>
public class QrCodeSetupData
{
    /// <summary>
    /// The secret unique code for the user and this ITwoFactorProvider.
    /// </summary>
    public string Secret { get; init; }

    /// <summary>
    /// The SetupCode from the GoogleAuthenticator code.
    /// </summary>
    public SetupCode SetupCode { get; init; }
}

/// <summary>
/// App Authenticator implementation of the ITwoFactorProvider
/// </summary>
public class UmbracoAppAuthenticator : ITwoFactorProvider
{
    /// <summary>
    /// The unique name of the ITwoFactorProvider. This is saved in a constant for reusability.
    /// </summary>
    public const string Name = "UmbracoAppAuthenticator";

    private readonly IMemberService _memberService;

    /// <summary>
    /// Initializes a new instance of the <see cref="UmbracoAppAuthenticator"/> class.
    /// </summary>
    public UmbracoAppAuthenticator(IMemberService memberService)
    {
        _memberService = memberService;
    }

    /// <summary>
    /// The unique provider name of ITwoFactorProvider implementation.
    /// </summary>
    /// <remarks>
    /// This value will be saved in the database to connect the member with this  ITwoFactorProvider.
    /// </remarks>
    public string ProviderName => Name;

    /// <summary>
    /// Returns the required data to setup this specific ITwoFactorProvider implementation. In this case it will contain the url to the QR-Code and the secret.
    /// </summary>
    /// <param name="userOrMemberKey">The key of the user or member</param>
    /// <param name="secret">The secret that ensures only this user can connect to the authenticator app</param>
    /// <returns>The required data to setup the authenticator app</returns>
    public Task<object> GetSetupDataAsync(Guid userOrMemberKey, string secret)
    {
        var member = _memberService.GetByKey(userOrMemberKey);

        var twoFactorAuthenticator = new TwoFactorAuthenticator();
        SetupCode setupInfo = twoFactorAuthenticator.GenerateSetupCode("My application name", member.Username, secret, false);
        return Task.FromResult<object>(new QrCodeSetupData()
        {
            SetupCode = setupInfo,
            Secret = secret
        });
    }

    /// <summary>
    /// Validated the code and the secret of the user.
    /// </summary>
    public bool ValidateTwoFactorPIN(string secret, string code)
    {
        var twoFactorAuthenticator = new TwoFactorAuthenticator();
        return twoFactorAuthenticator.ValidateTwoFactorPIN(secret, code);
    }

    /// <summary>
    /// Validated the two factor setup
    /// </summary>
    /// <remarks>Called to confirm the setup of two factor on the user. In this case we confirm in the same way as we login by validating the PIN.</remarks>
    public bool ValidateTwoFactorSetup(string secret, string token) => ValidateTwoFactorPIN(secret, token);
}

First, we create a model with the information required to set up the 2FA provider. Then we implement the ITwoFactorProvider with the use of the TwoFactorAuthenticator from the GoogleAuthenticator NuGet package.

Now we need to register the UmbracoAppAuthenticator implementation. This can be done on the IUmbracoBuilder in your startup or a composer.

using Umbraco.Cms.Core.Composing;
using Umbraco.Cms.Core.DependencyInjection;
using Umbraco.Cms.Core.Security;
using Umbraco.Extensions;

namespace My.Website;

public class UmbracoAppAuthenticatorComposer : IComposer
{
    public void Compose(IUmbracoBuilder builder)
    {
        var identityBuilder = new MemberIdentityBuilder(builder.Services);
        identityBuilder.AddTwoFactorProvider<UmbracoAppAuthenticator>(UmbracoAppAuthenticator.Name);
    }
}

At this point, the 2FA is active, but no members have set up 2FA yet. The setup of 2FA depends on the type. In the case of App Authenticator, we will add the following to our view showing the edit profile of the member.

@using Umbraco.Cms.Core.Services
@using Umbraco.Cms.Web.Website.Controllers
@using Umbraco.Cms.Web.Website.Models
@using My.Website  @* Or whatever your namespace with the QrCodeSetupData model is *@
@inject MemberModelBuilderFactory memberModelBuilderFactory
@inject ITwoFactorLoginService twoFactorLoginService
@{
    // Build a profile model to edit
    var profileModel = await memberModelBuilderFactory
        .CreateProfileModel()
        .BuildForCurrentMemberAsync();

    // Show all two factor providers
    var providerNames = twoFactorLoginService.GetAllProviderNames();
    if (providerNames.Any())
    {
        <div asp-validation-summary="All" class="text-danger"></div>
        foreach (var providerName in providerNames)
        {
            var setupData = await twoFactorLoginService.GetSetupInfoAsync(profileModel.Key, providerName);
            if (setupData is null)
            {
                @using (Html.BeginUmbracoForm<UmbTwoFactorLoginController>(nameof(UmbTwoFactorLoginController.Disable)))
                {
                    <input type="hidden" name="providerName" value="@providerName"/>
                    <button type="submit">Disable @providerName</button>
                }
            }
            else if(setupData is QrCodeSetupData qrCodeSetupData)
            {
                @using (Html.BeginUmbracoForm<UmbTwoFactorLoginController>(nameof(UmbTwoFactorLoginController.ValidateAndSaveSetup)))
                {
                    <h3>Setup @providerName</h3>
                    <img src="@qrCodeSetupData.SetupCode.QrCodeSetupImageUrl"/>
                    <p>Scan the code above with your authenticator app <br /> and enter the resulting code here to validate:</p>
                    <input type="hidden" name="providerName" value="@providerName"  />
                    <input type="hidden" name="secret" value="@qrCodeSetupData.Secret"  />
                    <input type="text" name="code"  />
                    <button type="submit">Validate & save</button>
                }
            }
        }
    }
}

In this razor-code sample, we get the current member's unique key and list all registered ITwoFactorProvider implementations.

If the setupData is null for the specified providerName it means the provider is already set up. In this case, we show a disable button. Otherwise, we check the type and show the UI for how to set up the App Authenticator. We will show the QR Code and an input field to validate the code from the App Authenticator.

The last part required is to use the Login Partial Macro snippet.

Notification when 2FA is requested for a member

When a 2FA login is requested for a member, the MemberTwoFactorRequestedNotification is published. This notification can also be used to send the member a one-time password via e-mail or phone. Even though these 2FA types are not considered secure as App Authentication, it is still a massive improvement compared to no 2FA.

Two-factor authentication for Users

Umbraco controls how the UI is for user login and user edits, but will still need a view for configuring each 2FA provider.

Example implementation for Authenticator Apps for Users

using System.Runtime.Serialization;
using Google.Authenticator;
using Umbraco.Cms.Core.Models.Membership;
using Umbraco.Cms.Core.Security;
using Umbraco.Cms.Core.Services;

namespace My.Website;

[DataContract]
public class TwoFactorAuthInfo
{
    [DataMember(Name = "qrCodeSetupImageUrl")]
    public string? QrCodeSetupImageUrl { get; set; }

    [DataMember(Name = "secret")]
    public string? Secret { get; set; }
}

/// <summary>
/// App Authenticator implementation of the ITwoFactorProvider
/// </summary>
public class UmbracoUserAppAuthenticator : ITwoFactorProvider
{
    private readonly IUserService _userService;

    /// <summary>
    /// The unique name of the ITwoFactorProvider. This is saved in a constant for reusability.
    /// </summary>
    public const string Name = "UmbracoUserAppAuthenticator";

    /// <summary>
    /// Initializes a new instance of the <see cref="UmbracoUserAppAuthenticator"/> class.
    /// </summary>
    public UmbracoUserAppAuthenticator(IUserService userService)
    {
        _userService = userService;
    }

    /// <summary>
    /// The unique provider name of ITwoFactorProvider implementation.
    /// </summary>
    /// <remarks>
    /// This value will be saved in the database to connect the member with this  ITwoFactorProvider.
    /// </remarks>
    public string ProviderName => Name;

    /// <summary>
    /// Returns the required data to setup this specific ITwoFactorProvider implementation. In this case it will contain the url to the QR-Code and the secret.
    /// </summary>
    /// <param name="userOrMemberKey">The key of the user or member</param>
    /// <param name="secret">The secret that ensures only this user can connect to the authenticator app</param>
    /// <returns>The required data to setup the authenticator app</returns>
    public Task<object> GetSetupDataAsync(Guid userOrMemberKey, string secret)
    {
        IUser? user = _userService.GetByKey(userOrMemberKey);

        ArgumentNullException.ThrowIfNull(user);

        var twoFactorAuthenticator = new TwoFactorAuthenticator();
        SetupCode setupInfo = twoFactorAuthenticator.GenerateSetupCode("My application name", user.Username, secret, false);
        return Task.FromResult<object>(new TwoFactorAuthInfo()
        {
            QrCodeSetupImageUrl = setupInfo.QrCodeSetupImageUrl,
            Secret = secret
        });
    }

    /// <summary>
    /// Validated the code and the secret of the user.
    /// </summary>
    public bool ValidateTwoFactorPIN(string secret, string code)
    {
        var twoFactorAuthenticator = new TwoFactorAuthenticator();
        return twoFactorAuthenticator.ValidateTwoFactorPIN(secret, code);
    }

    /// <summary>
    /// Validated the two factor setup
    /// </summary>
    /// <remarks>Called to confirm the setup of two factor on the user. In this case we confirm in the same way as we login by validating the PIN.</remarks>
    public bool ValidateTwoFactorSetup(string secret, string token) => ValidateTwoFactorPIN(secret, token);
}

Now we need to register the UmbracoUserAppAuthenticator implementation and the view to show to set up this provider. This can be done on the IUmbracoBuilder in your startup or a composer.

using Microsoft.Extensions.DependencyInjection;
using Umbraco.Cms.Core.Composing;
using Umbraco.Cms.Core.DependencyInjection;
using Umbraco.Cms.Core.Security;
using Umbraco.Cms.Web.BackOffice.Security;
using Umbraco.Extensions;

namespace My.Website;

public class UmbracoAppAuthenticatorComposer : IComposer
{
    public void Compose(IUmbracoBuilder builder)
    {
        var identityBuilder = new BackOfficeIdentityBuilder(builder.Services);

        identityBuilder.AddTwoFactorProvider<UmbracoUserAppAuthenticator>(UmbracoUserAppAuthenticator.Name);

        builder.Services.Configure<TwoFactorLoginViewOptions>(UmbracoUserAppAuthenticator.Name, options =>
        {
            options.SetupViewPath = "..\\App_Plugins\\TwoFactorProviders\\twoFactorProviderGoogleAuthenticator.html";
        });
    }
}

Now we need to create the view we configured, in the path we choose.

<div ng-controller="CustomCode.TwoFactorProviderGoogleAuthenticator as vm">

  <umb-editor-view ng-cloak>

    <form name="vm.authForm" method="POST" ng-submit="vm.validateAndSave()">

      <umb-editor-header name="vm.title" name-locked="true" hide-alias="true" hide-icon="true" hide-description="true">
      </umb-editor-header>

      <umb-editor-container>

        <umb-box>

          <umb-box-header title="Setup information"></umb-box-header>

          <umb-box-content>

            <div class="control-group text-center">
              <img alt="QR code for Google Authenticator" ng-src="{{vm.qrCodeImageUrl}}" ng-if="vm.qrCodeImageUrl" />
            </div>

            <umb-control-group label-for="token" alias="2facode"
              label="Scan with your authenticator app and enter the code:" required="true">

              <input umb-auto-focus id="2facode" class="-full-width-input input-xlarge" type="text" name="token"
                inputmode="numeric" autocomplete="one-time-code" ng-model="vm.code" localize="placeholder"
                placeholder="@login_2faCodeInputHelp" aria-required="true" required />

              <div ng-messages="vm.authForm.token.$error" role="alert">
                <span class="umb-validation-label" ng-message="token">
                  <localize key="login_2faInvalidCode">Invalid code entered</localize>
                </span>
              </div>

            </umb-control-group>

          </umb-box-content>

        </umb-box>

      </umb-editor-container>

      <umb-editor-footer>

        <umb-editor-footer-content-right>

          <umb-button type="button" button-style="link" label-key="general_close" shortcut="esc" action="vm.close()">
          </umb-button>

          <umb-button state="vm.buttonState" button-style="success" label-key="buttons_save" type="submit"
            disabled="vm.code.length === 0">
          </umb-button>

        </umb-editor-footer-content-right>

      </umb-editor-footer>

    </form>

  </umb-editor-view>

</div>

As this view uses an angular controller, we need to create that class and configure it in the package.manifest.

In package.manifest, we point to the path of the angular controller that we are creating in the next step.

{
  "javascript": [
    "~/App_Plugins/TwoFactorProviders/twoFactorProviderGoogleAuthenticator.controller.js"
  ]
}

And we create the controller in that location:

!(function () {
  "use strict";

  const googleTwoFactorProviderCtrl = [
    '$scope', 'twoFactorLoginResource', 'notificationsService',
    function ($scope, twoFactorLoginResource, notificationsService) {
      const vm = this;

      vm.title = "Setup Google Authenticator on " + $scope.model?.user?.name;
      vm.providerName = $scope.model?.providerName;
      vm.qrCodeImageUrl = "";
      vm.secret = "";
      vm.code = "";
      vm.authForm = {};
      vm.buttonState = "init";

      vm.close = close;
      vm.validateAndSave = validateAndSave;

      function init() {
        vm.buttonState = "init";
        twoFactorLoginResource.setupInfo(vm.providerName)
          .then(function (response) {
            // This response is the model I defined to be returned from ITwoFactorProvider.GetSetupDataAsync
            vm.qrCodeImageUrl = response.qrCodeSetupImageUrl;
            vm.secret = response.secret;
          })
          .catch(function () {
            notificationsService.error("Could not fetch login info");
          });
      }

      function validateAndSave() {
        vm.authForm.token.$setValidity("token", true);
        vm.buttonState = "busy";

        twoFactorLoginResource.validateAndSave(vm.providerName, vm.secret, vm.code)
          .then(function (successful) {

            if (successful) {
              notificationsService.success("Two-factor authentication has successfully been enabled");
              vm.buttonState = "success";
              close();
            } else {
              vm.authForm.token.$setValidity("token", false);
              vm.buttonState = "error";
            }

          })
          .catch(function (error) {
            notificationsService.error(error);
            vm.buttonState = "error";
          });
      }

      function close() {
        if ($scope.model.close) {
          $scope.model.close();
        }
      }

      init();
    }
  ];

  angular.module("umbraco").controller("CustomCode.TwoFactorProviderGoogleAuthenticator", googleTwoFactorProviderCtrl);
})();

At this point, the 2FA is active, but no users have set up 2FA yet.

Each user can now enable the configured 2fa providers on their user. This can be done from the user panel by clicking the user avatar.

When clicking the Configure Two-Factor button, a new panel is shown, listing all enabled two-factor providers.

When clicking Enable on one of these, the configured view for the specific provider will be shown

When the authenticator is enabled correctly, a disable button is shown instead.

To disable the two-factor authentication on your user, it is required to enter the verification code. Otherwise, admins are allowed to disable providers on other users.

If the code is correct, the provider is disabled.

Notification when 2FA is requested for a user

When a 2FA login is requested for a user, the UserTwoFactorRequestedNotification is published. This notification can also be used to send the user a one-time password via e-mail or phone. Even though these 2FA types are not considered secure as App Authentication, it is still a massive improvement compared to no 2FA.

When a user with 2FA enabled logs in, they will be presented with a screen to enter the verification code:

While the 2FA is enabled, the user will be presented with this screen after entering the username and password.

If the code is correct, the user will be logged in. If the code is incorrect, the user will be presented with an error message.

This screen is set up to work well with 2FA providers that require a one-time code to be entered. The code field follows best practices for accessibility in terms of labeling and autocompletion.

A user can have more than one 2FA provider activated simultaneously. In this case, the user will be presented with a dropdown to choose which provider to use before entering a code.

The 2FA login screen can be customized. This should be done if you have a 2FA provider that does not require a one-time code to be entered.

You should only customize the 2FA login screen in certain cases, for example:

If you have a provider that requires a non-numeric field or additional info.
If you have a provider that requires the user to scan a QR code, you should additionally show the QR code.
If you need to authenticate the user in a different way than the default AuthenticationController in Umbraco.

You need to create a JavaScript module that exports a default custom element to be used in the login screen. This module should be placed in the App_Plugins folder. The module should be registered using a composer.

In earlier versions of Umbraco up to version 12, you had to define an AngularJS HTML view. This is no longer the case. You can now define a JavaScript module to render a Custom Element instead of the default two-factor login screen.

You can use the following code as a starting point. This will give you a view looking like this, where the user can enter a code and click a button to verify the code. This is similar to the built-in view in Umbraco. In a real world scenario, you would probably want to authenticate the user in a different way.

The following code is an example of a custom 2FA login screen using Lit. This is the recommended way of creating a custom 2FA login screen. Lit is a light-weight library that augments the Custom Elements API to provide a declarative, performant, and interoperable way to create web components.

The element registers two properties: providers and returnPath. These properties are used to render the view. The providers property is an array of strings, where each string is the name of a 2FA provider. The returnPath is the path to redirect to after a successful login. Both supplied by the login screen automatically.

~/App_Plugins/TwoFactorProviders/Custom2faLogin.js

import {LitElement, css, html} from 'https://cdn.jsdelivr.net/gh/lit/dist@3/core/lit-core.min.js';

class My2faView extends LitElement {
  static get properties() {
    return {
      providers: { type: Array },
      returnPath: { type: String },
      buttonState: { type: String, state: true, attribute: false }
    };
  }

  /**
   * Get the code input field
   */
  get codeField() {
    return this.shadowRoot.querySelector('#code');
  }

  onSubmit(provider) {
    return async (e) => {
      e.preventDefault();
      const form = e.target;

      this.codeField.error = false;

      const isValid = form.checkValidity();
      if (!isValid) {
        return;
      }

      this.buttonState = 'loading';
      const formData = new FormData(form);
      const code = formData.get('code');

      const result = await fetch('backoffice/UmbracoApi/Authentication/PostVerify2faCode', {
        method: 'POST',
        body: JSON.stringify({
          provider,
          code
        }),
        headers: {
          'Content-Type': 'application/json',
        },
      });

      if (!result.ok) {
        this.codeField.error = true;
        this.codeField.errorMessage = 'Invalid code';
        this.codeField.focus();
        this.buttonState = 'failed';
        return;
      }

      let text = await result.text();
      text = text.split('\n')[1];
      const user = JSON.parse(text);

      this.buttonState = 'success';

      this.dispatchEvent(new CustomEvent('umb-login-success', { bubbles: true, composed: true, detail: user }));

      if (this.returnPath) {
        window.location.href = this.returnPath;
      }
    };
  }

  renderProvider(provider) {
    return html`
      <uui-form>
        <form method="post" @submit=${this.onSubmit(provider)}>
          <h3>${provider}</h3>
          <p>You are about to sign-in with ${provider}.</p>
          <uui-form-layout-item>
            <uui-label for="code" slot="label" required>Type the authentication code from your device</uui-label>
            <uui-input id="code" type="text" name="code" autocomplete="one-time-code" inputmode="numeric" placeholder="123456" required>
              <div slot="prepend">
                <uui-icon name="wand"></uui-icon>
              </div>
            </uui-input>
          </uui-form-layout-item>

          <div>
            <uui-button type="submit" id="button" look="primary" .state=${this.buttonState}>
              <uui-icon name="icon-cloud"></uui-icon>
              Authenticate
            </uui-button>
          </div>

          <div id="error">
            ${this.errorMessage}
          </div>
        </form>
      </uui-form>
    `;
  }

  render() {
    return html`
      ${this.providers.map(provider => this.renderProvider(provider))}
    `;
  }

  static styles = css`
    :host {
      display: block;
      width: 100%;
    }
    #button {
      width: 100%;
    }
    #error {
      color: red;
    }
  `;
}

customElements.define('my-2fa-view', My2faView);

export default My2faView;

We need to register the custom view using a composer. This can be done on the IUmbracoBuilder in your startup or a composer. In this case, we will add a composer to your project. This composer will overwrite the IBackOfficeTwoFactorOptions to use the custom view.

TwoFactorConfiguration.cs

using Umbraco.Cms.Core.Composing;
using Umbraco.Cms.Web.BackOffice.Security;

namespace My.Website;

/// <inheritdoc />
public class TwoFactorConfiguration : IBackOfficeTwoFactorOptions
{
    /// <inheritdoc />
    public string GetTwoFactorView(string username) => "/App_Plugins/TwoFactorProviders/Custom2faLogin.js";
}

public class TwoFactorConfigurationComposer : IComposer
{
    public void Compose(IUmbracoBuilder builder)
    {
        builder.Services.AddSingleton<IBackOfficeTwoFactorOptions, TwoFactorConfiguration>();
    }
}

Security

Other articles related to security

API rate limiting

What is rate limiting?

Configuring rate limiting

Global limiter

Limit specific endpoints

BackOfficeUserManager and Events

Extending

Example

Notifications

Cookies

Necessary Cookies

Replacing the basic username/password check

External login providers

Try it out

Extend core functionality

Auto-linking

Local logins

Transferring Claims from External identities

Example

Storing external login provider data

Auto-linking on backoffice authentication

Auto-linking on Member authentication

Generic examples

Custom-named configuration

Advanced properties

BackOfficeExternalLoginProviderOptions.CustomBackOfficeView

Static extension class

Locking of Users and password reset

Password reset on login screen

Password reset of a non-existing user

Password reset of a locked user

Reset admin user password

Reset admin password

Step one: Clear the connection string status in configuration

Step Two: Run the installer

Umbraco Security Hardening

Lock down access to your Umbraco folder (IIS)

Umbraco Security Settings

Password settings

Password reset settings

Other security settings

Sensitive data

Grant or deny access to sensitive data

Marking data as sensitive

Sanitizing the Rich Text Editor

Implementing your own IHtmlSanitizer

Setup Umbraco for a FIPS Compliant Server

What is FIPS?

How can I test my site with FIPS enabled?

What version of Umbraco is FIPS compliant?

Umbraco 9.0.0 and key dependencies are FIPS compliant

FAQ

HTTPS

Set UseHttps configuration option

Redirect traffic in code

Redirect traffic on IIS

SSL versus Transport Layer Security (TLS)

Server-side file validation

Implementing a FileStreamSecurityValidator

Example FileStreamSecurityAnalyzer

Cookies

Necessary Cookies

BackOfficeUserManager and Events

Extending

Example

Notifications

Replacing the basic username/password check

Locking of Users and password reset

Password reset on login screen

Password reset of a non-existing user

Password reset of a locked user

Reset admin user password

Security

Other articles related to security

API rate limiting

What is rate limiting?

Configuring rate limiting

Global limiter