GetAccessToken error when logged in via ExternaAuthProvider

[jdpnielsen]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

10.3.2

Bug summary

When user is logged in via External Auth Provider, an exception is thrown when opening the profile drawer:

Specifics

The error seems to come from /umbraco/backoffice/umbracoidchallenge/GetAccessToken endpoint:

System.InvalidOperationException: No account Id could be resolved from the current user Claims. The following claims are required, here are their values:uid = , utid = 
   at Umbraco.Cloud.Identity.Cms.V10.Extensions.TokenAcquisitionExtensions.DebugMSALInfoAsync(ITokenAcquisition tokenAcquisition, ClaimsPrincipal claimsPrincipal, B2CConfiguration b2CConfiguration, ILogger logger)
   at Umbraco.Cloud.Identity.Cms.V10.Extensions.TokenAcquisitionExtensions.GetAccessTokenForUserAsync(ITokenAcquisition tokenAcquisition, ClaimsPrincipal claimsPrincipal, B2CConfiguration b2CConfiguration, ILogger logger)
   at Umbraco.Cloud.Identity.Cms.V10.Controllers.UmbracoIdChallengeController.GetAccessToken()
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()

Steps to reproduce

1. Configure external auth provider as per docs: https://docs.umbraco.com/umbraco-cms/reference/security/authenticate-with-active-directory

using Microsoft.Extensions.Options;
using Umbraco.Cms.Web.BackOffice.Security;

namespace Project.Core.OpenIdAuthentication
{
    public class OpenIdConnectBackOfficeExternalLoginProviderOptions : IConfigureNamedOptions<BackOfficeExternalLoginProviderOptions>
    {
        public const string SchemeName = "OpenIdConnect";
        public void Configure(string name, BackOfficeExternalLoginProviderOptions options)
        {
            if (name != "Umbraco." + SchemeName)
            {
                return;
            }

            Configure(options);
        }

        public void Configure(BackOfficeExternalLoginProviderOptions options)
        {
            options.ButtonStyle = "btn-danger";
            options.Icon = "fa fa-cloud";
            options.AutoLinkOptions = new ExternalSignInAutoLinkOptions(
                    // Must be true for auto-linking to be enabled
                    autoLinkExternalAccount: true,
                    defaultCulture: null,
                    allowManualLinking: false
            )
            {
                OnAutoLinking = (autoLinkUser, loginInfo) =>
                {
                    autoLinkUser.IsApproved = true;
                },
                OnExternalLogin = (user, loginInfo) =>
                {
                    return true;
                }
            };

            options.DenyLocalLogin = true;
            options.AutoRedirectLoginToExternalProvider = false;
        }
    }
}

public static IUmbracoBuilder AddOpenIdConnectAuthentication(this IUmbracoBuilder builder)
{
    builder.Services.ConfigureOptions<OpenIdConnectBackOfficeExternalLoginProviderOptions>();

    builder.AddBackOfficeExternalLogins(logins =>
    {
        logins.AddBackOfficeLogin(backOfficeAuthenticationBuilder =>
        {
            backOfficeAuthenticationBuilder
                .AddOpenIdConnect(
                    backOfficeAuthenticationBuilder.SchemeForBackOffice(OpenIdConnectBackOfficeExternalLoginProviderOptions.SchemeName),
                    "External login",
                    options =>
                    {
                        var config = builder.Config;

                        options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                        options.Authority = config["OpenId:Authority"];
                        options.ClientId = config["OpenId:ClientId"];
                        options.ClientSecret = config["OpenId:ClientSecret"];
                        options.ResponseType = OpenIdConnectResponseType.Code;
                        options.AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet;
                        options.RequireHttpsMetadata = true;
                        options.GetClaimsFromUserInfoEndpoint = true;
                        options.SaveTokens = true;
                        options.UsePkce = true;

                        // map claims
                        options.TokenValidationParameters.NameClaimType = "name";

                        // add scopes
                        options.Scope.Add("openid");
                        options.Scope.Add("email");
                    });
        });
    });
    return builder;
}

2. Login via configured external auth provider
3. Click profile button
4. Error modal shows

If user dismisses the error modal, user can still interact with the 'Edit' button.

Expected result / actual result

No error modal to be thrown

[github-actions[bot]]

Hi there @jdpnielsen!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:

[sajumb]

Thanks for reporting this. We have added it to the product backlog. For internal use: this might be related to https://github.com/umbraco/Umbraco.Cloud.Issues/issues/626

[PGGMTeam5]

This is also an issue for us at PGGM when using AzureAD login, so please fix this asap!

[Xiaohao-Ye]

At Axendo we have also encountered this issue. A quick fix would be much appreciated.