Active Directory IConfigureNamedOptions - can't inject IUserService userService keeps hanging

darrenhunterEmerald · March 4, 2026, 10:31am

Hi,

I am trying to update some of our custom code for AD login, in the code we use on Version 10 and 13, we inject the user service in to the code that uses IConfigureNamedOptions but every time I do this, Umbraco will not boot.

Here is the code

using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Settings.App_Code.Helpers;
using Umbraco.Cms.Api.Management.Security;
using Umbraco.Cms.Core;
using Umbraco.Cms.Core.Services;
using Umbraco.Cms.Web.Common.Controllers;

namespace UmbracoCMSAzureActiveDirectory.App_Code.AzureActiveDirectory
{
public class OpenIdConnectBackOfficeExternalLoginProviderOptions : IConfigureNamedOptions
{
    public const string SchemeName = "Microsoft";
    private settings Settings = new settings();
    private readonly IUserService _userService;
    private readonly IHttpContextAccessor _httpContext;
    private IConfiguration _config;
    private ILogger<OpenIdConnectBackOfficeExternalLoginProviderOptions> _logger;

    public OpenIdConnectBackOfficeExternalLoginProviderOptions(IConfiguration config, ILogger<OpenIdConnectBackOfficeExternalLoginProviderOptions> logger, IUserService userService) //IUserService userService, IHttpContextAccessor httpContextAccessor, IConfiguration config
    {
        //_userService = userService;
        //_httpContext = httpContextAccessor;
        //_config = config;

        _logger= logger;

        _logger.Log(LogLevel.Information, "Active AD Starting......");
    }

    public void Configure(string? name, BackOfficeExternalLoginProviderOptions options)
    {
        if (name != "Umbraco." + SchemeName)
        {
            _logger.Log(LogLevel.Information, "Active AD Scheme Name dose not match......");
            return;
        }

        _logger.Log(LogLevel.Information, "Active AD Scheme Name ok......");
        _logger.Log(LogLevel.Information, "Active AD Scheme Name:"  + "Umbraco." + SchemeName);
        Configure(options);
    }

    public void Configure(BackOfficeExternalLoginProviderOptions options)
    {

        _logger.Log(LogLevel.Information, "Active AD Configing......");

        options.AutoLinkOptions = new ExternalSignInAutoLinkOptions(
            // must be true for auto-linking to be enabled
            autoLinkExternalAccount: true,

            // Optionally specify default user group, else
            // assign in the OnAutoLinking callback
            // (default is editor)
            defaultUserGroups: new[] { Constants.Security.AdminGroupAlias },

            // Optionally specify the default culture to create
            // the user as. If null it will use the default
            // culture defined in the web.config, or it can
            // be dynamically assigned in the OnAutoLinking
            // callback.

            defaultCulture: null,
            // Optionally you can disable the ability to link/unlink
            // manually from within the back office. Set this to false
            // if you don't want the user to unlink from this external
            // provider.
            allowManualLinking: false
        )
        {
            // Optional callback
            OnAutoLinking = (autoLinkUser, loginInfo) =>
            {
                // You can customize the user before it's linked.
                // i.e. Modify the user's groups based on the Claims returned
                // in the externalLogin info

                //autoLinkUser.IsApproved = true;

            },
            OnExternalLogin = (user, loginInfo) =>
            {
                // You can customize the user before it's saved whenever they have
                // logged in with the external provider.
                // i.e. Sync the user's name based on the Claims returned
                // in the externalLogin info

                

                // check the umbraco user status
                var umbracoUser = _userService.GetByEmail(user.Email);

                if (umbracoUser != null)
                {
                    // is this a valid approved umbraco user
                    if (umbracoUser.IsApproved && umbracoUser.IsLockedOut == false)
                    {
                        return true;
                    }
                    // is this an invited umbraco user? - set to approved automatically
                    else if (umbracoUser.UserState == Umbraco.Cms.Core.Models.Membership.UserState.Invited)
                    {
                        user.IsApproved = true;
                        return true;
                    }
                    // is this is an existing user who has previously signed in but they are disabled or locked out
                    else if (umbracoUser.LastLoginDate != null && (!umbracoUser.IsApproved || umbracoUser.IsLockedOut))
                    {
                        return false;
                    }
                    else if (!umbracoUser.IsApproved && umbracoUser.LastLoginDate == null)
                    {
                        // this user has never logged in and is not approved
                        // this must be a user that was not already set up in umbraco
                        // if not an existing user, delete the new record
                        _userService.Delete(umbracoUser, true);
                        return false;
                    }
                }

                return true; //returns a boolean indicating if sign in should continue or not.
            }
        };
        options.DenyLocalLogin = false;


       
    }
}
}

darrenhunterEmerald · March 4, 2026, 10:56am

The above is the code I have come up with for 17 after looking at the google example.

But it not working when I try and Inject the User Service.

cheeseytoastie · March 5, 2026, 9:58am

Perhaps not relevant but worth checking.

Just been fighting some v13 → v17 gremlins and it came down to some legacy carry over from old versions where I had Startup.cs Program.cs Register.cs all doing various DI, config and Composer stuff that was causing conflicts.

I was getting lots of weirdness - especially around members. When I stripped it all back and put everything in the correct order in Program.cs things started behaving. I was also getting lots of Ambient scope Hybrid cache issues - most of which came down to this.

HTH

Steve

darrenhunterEmerald · March 5, 2026, 11:39am

I sort of got this to work, the Only problem I have now is I still can pass in the IUser Service.

As we need to check to make sure the account on AD has a corresponding Umbraco Account.

We done this for security purpose, and this working in V10 and 13, but for some reason with 17 it dose not work. The only diffrence with the V17 code is it getting called from a composer not the program.cs or startup.cs file.

mistyn8 · March 5, 2026, 1:03pm

Could it be it needs a compose after/before?
Composing | CMS | Umbraco Documentation

darrenhunterEmerald · March 5, 2026, 1:18pm

I based my AD code on External login providers | CMS | Umbraco Documentation

mistyn8 · March 5, 2026, 1:38pm

OnExternalLogin = (user, loginInfo) =>
{
    using var scope = _serviceProvider.CreateScope();
    var userService = scope.ServiceProvider.GetRequiredService<IUserService>();

    var umbracoUser = userService.GetByEmail(user.Email);

rather than DI?
Is mentioned in the docs, though not ideal..
IPublishedContentQuery | CMS | Umbraco Documentation

darrenhunterEmerald · March 5, 2026, 1:48pm

Thank you that works.