Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
The BackOfficeUserManager is the ASP.NET Core Identity UserManager implementation in Umbraco. It exposes APIs for working with Umbraco User's via the ASP.NET Core Identity including password handling.
The BackOfficeUserManager
is the ASP.NET Core Identity UserManager implementation in Umbraco. It exposes APIs for working with Umbraco Users via the ASP.NET Core Identity including password handling.
The BackOfficeUserManager can be replaced during startup in order to use your own implementation. This may be required if you want to extend the functionality of the BackOfficeUserManager for things like supporting two-factor authentication(2FA).
You can replace the BackOfficeUserManager in the startup class by using the SetBackOfficeUserManager
extension on the IUmbracoBuilder
.
You can then implement your custom BackOfficeUserManager
, like this. Note the constructor minimum needs to inject what is required for the base BackOfficeUserManager
class:
There are many notifications you can handle on the BackOfficeUserManager
. Internally these are mainly used for auditing but there are some that allow you to customize some workflows:
SendEmailNotification
This is a generic notification but it has a property EmailType
that specify the email type. This type can be UserInvite
. In that case, it allows you to take control over how a user in the backoffice is invited. This might be handy if you are using an External Login Provider that has the DenyLocalLogin
option assigned and you still want to have the user invite functionality available. In this setup, all of your users are controlled by your external login provider so you would need to handle the user invite flow yourself by using this event and inviting the user via your external provider. If you are using this event to replace the default functionality you will need to tell Umbraco that you've handled the invite by calling the SendEmailNotification.HandleEmail()
method.)
UserLogoutSuccessNotification
This is specifically used if you have an External Login Provider in use and you want to log out of that external provider when the user is logged out of the backoffice (that is log out of everywhere). The notification has a property SignOutRedirectUrl
. If this property is assigned then Umbraco will redirect to that URL upon successful backoffice sign out in order to sign the user out of the external login provider.
This section includes information on Umbraco security, its various security options and configuring how authentication & authorization works in Umbraco
In this article, you will find everything you need regarding security within Umbraco.
On our main website, we have a dedicated security section which provides all the details you need to know about security within the Umbraco CMS. This includes how to report a vulnerability.
We highly encourage the use of HTTPS on Umbraco websites, especially in production environments. By using HTTPS you greatly improve the security of your website.
In the "Use HTTPS" article you can learn more about how to use HTTPS and how to set it up.
Learn which password settings that can be configured in Umbraco.
Learn about how to harden the security on your Umbraco website to secure it even further.
When your project is hosted on Umbraco Cloud, you might be interested in more details about the security of the hosting. This information can be found in the Umbraco Cloud FAQs section of the documentation.
Out of the box Umbraco ships with a custom ASP.NET Core Identity implementation which uses Umbraco's database data. Normally this is fine for most Umbraco developers, but in some cases the authentication process needs to be customized.
The Umbraco users and members supports external login providers (OAuth) for performing authentication of your users/members. This could be any OpenIDConnect provider such as Entra ID/Azure Active Directory, Identity Server, Google or Facebook.
The Umbraco members supports a two-factor authentication (2FA) abstraction for implementing a 2FA provider of your choice. This could be any Time-based One-time Password (TOTP) Algorithm, including Microsoft and Google Authenticator Apps
This is typically a legacy approach to validating credentials with external resources but it is possible.
Marking fields as sensitive will hide the data in those fields for backoffice users that do not have permission to view personal data of members.
How to configure Umbraco to run on a FIPS compliant server.
Umbraco HQ offers a full-day training course covering an overview of Transport Layer Security (TLS), understanding threats, two-factor authentication, and more. The course targets frontend and backend developers, designers, and technical users.
Learn about the cookies required for accessing the Umbraco Backoffice and their purposes.
The cookies listed in this article are required only for accessing the Backoffice. You can include these in your own cookie policy, if you wish.
The below cookies are necessary for accessing the Umbraco Backoffice and functioning of the website. They allow you to enjoy the contents and services you request.
The UMB_SESSION
cookie is secure if you are using HTTPS pages. However, if you wish to secure the cookie in your code, add the following in the Program.cs
file after Build();
For information on the rest of the cookies, see the file on GitHub.
How to take advantage of the built-in rate limiting middleware of ASP.NET Core in Umbraco.
Since ASP.NET Core 7, you can use the to rate limit your APIs. You can apply the EnableRateLimiting
and DisableRateLimiting
attributes to add rate limiting on a controller or endpoint level. In this article, we will go through how you can configure and utilize different rate limiting strategies for Umbraco APIs.
Rate limiting helps control the number of requests to an API, typically within a specified time frame or based on other parameters. This ensures the stability, availability, and security of your APIs. The key benefits are:
Preventing server or application overload
Improving security and protecting against DDoS attacks
Reducing unnecessary resource usage, thereby cutting down on costs
You can configure rate limiting in Umbraco by composition. To use the middleware, you need to register the rate limiting services first:
After that, you have to apply the RateLimitingMiddleware
by creating an Umbraco pipeline filter. UseRateLimiter()
must be called after UseRouting()
, therefore we use the PostRouting
to make sure this happens in the correct order:
With the set-up in place, let's take a look at some limiter options.
Inside AddRateLimiter()
we can use the GlobalLimiter
option to set a global rate limiter for all requests:
If you want to be more granular, you can configure different rate limits for different endpoints in AddRateLimiter()
as well:
In the code snippet above, we have configured 2 fixed window limiters with different settings, and different policy names ("fixed1"
and "fixed2"
). We can apply these policies to specific endpoints within Umbraco using the same UmbracoPipelineFilter
:
This part of the code shows how to apply the fixed1
policy to the AuthenticationController.PostRequestPasswordReset
endpoint, responsible for handling password reset requests. We can do that by dynamically modifying the endpoint's metadata - attaching the EnableRateLimitingAttribute
with the name of the policy which needs to be applied. This enables us to enforce the defined rate limits on a particular endpoint.
For your reference, here is the complete ApiRateLimiterComposer.cs
implementation.
Authentication for backoffice users and website members in Umbraco uses which is a flexible and extendable framework for authentication.
The is the ASP.NET Core Identity implementation in Umbraco. It exposes APIs for working with Umbraco Users via the ASP.NET Core Identity including password handling.
In most cases will meet the needs of most users when needing to authenticate with external resources. In some cases you may need to only change how the username and password credentials are checked.
You are able to check the username and password against your own credentials store by implementing a .
Learn more about this in the article.
Use this guide to .
If you need to reset accounts of every other user while you still have administrative action, check this "" article.
to learn more about the topics covered and how it can enhance your Umbraco development skills.
In the above example, we have added a FixedWindowLimiter
and configured it to automatically replenish permitted requests and permit 2 requests per 10 seconds. There are different algorithms and techniques for implementing rate limiting, which can vary depending on your use case. For more information, check the currently supported .