Feature request: Multiple redirect Uri's for shared database

[edihasler]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

14.1

Bug summary

I am using a single database across multiple environments and different URLs for each environment on Azure App Service (swap) + multiple second level domains for each language. EnsureBackOfficeApplicationAsync is only accepting one Uri (https://github.com/umbraco/Umbraco-CMS/blob/contrib/src/Umbraco.Cms.Api.Management/Middleware/BackOfficeAuthorizationInitializationMiddleware.cs#L89).

Steps to reproduce

Set up Umbraco CMS (version 14.1) with a single database shared across multiple environments (e.g., development, staging, production). Configure different URLs for each environment. Make the first request to the backend of any environment. Observe that the redirect URI for OpenIddict is written into the database with the URL of the current environment. Attempt to log into the backend using a different environment's URL.

Expected result

The backend login should work regardless of which environment URL is used, and the redirect URI should be dynamically handled to accommodate multiple environments. OpenIddict supports multiple Uris (https://github.com/openiddict/openiddict-core/issues/316).

Actual result

The redirect URI is written into the database with the URL of the first environment that made a request. This causes login issues when trying to access the backend from any other environment's URL.

Additional information

Out of legacy reasons I can't use different databases per environment. I think it would make sense to allow all configured domains in “Culture and hostnames”? (https://github.com/umbraco/Umbraco-CMS/issues/16179#issuecomment-2194288763)

[github-actions[bot]]

Hi there @edihasler!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:

[iOvergaard]

I agree this is an area to improve. You can set the Umbraco:CMS:Security:BackOfficeHost in appsettings.json to specify exactly which URL is accepted as a redirect uri, but only one URL can be defined per environment.

On Azure, you can define this as an environment variable:

{
  "name": "UMBRACO__CMS__Security__BackOfficeHost",
  "value": "https://some.other.host",
  "slotSetting": false
}

In doing so, you specify that this URL is allowed as a redirect_uri regardless of where the first request came from.

[dawoe]

Hi @iOvergaard and @edihasler

Pointing multiple environments to the same database is considered loadbalancing in Umbraco. This requires a specific configuration. https://docs.umbraco.com/umbraco-cms/v/13.latest-lts/fundamentals/setup/server-setup/load-balancing Make sure it is configured correctly for Azure

When loadbalancing you can only have one Backoffice server. If you change content from different instances you will run into a lot of issues.

[edihasler]

Hi @iOvergaard Even if I add the URL specifically in the appsettings.json, does this not change the fact that the URL of the first request (at app start) gets written to the database? If I have one single database for development, staging and production and for each environment a different URL, I can only access the backend from which I made the first request from.

As example: The app starts, the first request I make to the backend is from production URL ("https://production.other.host"), then I can't login into the backend from development URL ("https://development.other.host")

[dawoe]

Hi @edihasler

I would strongly advise against using this setup. It is asking for accidents to happen. Besides the issues you will face because you are loadbalancing (cache and indexes out of sync). You probably break you production environment because you are connecting your development environment to it.

[edihasler]

Hi @dawoe We have been working with a single/shared database for several years now (V7).

We are aware of all the risks but have them under control.

Umbraco introduced with V14 OpenIddict, which internally already supports multiple redirect URI's.

Umbraco doesn't has a setting for multiple redirect URI's.

Is this something you are thinking of implementing?

[dawoe]

Hi @edihasler

I can't speak for Umbraco HQ, but I would recommend to rethink your setup. You will face issues with this setup, which hard sometimes hard to notice, and even harder to pinpoint.

Dave

[JasonElkin]

Hey @edihasler,

We have been working with a single/shared database for several years now (V7).

We are aware of all the risks but have them under control.

This may be the case, but it is still not a supported configuration so is liable to break, for any number of reasons, with any upgrade. You've been lucky until now and even if you've worked around or learnt to live with the inherent bugs and deficiencies in running this kind of setup they are still deficiencies.

Whether or not a fix or workaround for this particular issue happens, I'm with Dave on strongly advising you to not share databases between environments.

Either way, I hope that you find a solution that works for you. Jason

[edihasler]

Hi guys,

Before we close the ticket, I have one more question:

How does blue-green deployment affect this scenario? If I have a slot on a web app using a different domain, and I make the first request there, the domain will be written to the database... After the swap, will I still be able to access the Umbraco backend using the production domain? I don't think so...

Thanks, Eduard

[meixger]

I am in the same situation and hack-fixed it with my own OpenIddictApplicationManager where i patch the RedirectUris when creating and validating.

With this, my DX and workflow can stay the same (using a shared db) as it was since v7.

Works fine so far, but i will re-evaluate later on.