External member login 17.3.0+

Laundryman · April 19, 2026, 12:35pm

After upgrading to Umbraco 17.3.0 from 17.2.2 - external member openId login using OpenIdBuilderExtension - HttpContext.User is not authenticated after successful login via Azure EntraId, error caught on ViewData.GetExternalSignInProviderErrors - after OnTokenValidated where ClaimsPrincipal is authenticated. Error returned as “provider returned an invalid response”.

Anyone else experienced this - this works fine up to version 17.2.2

BishalTimalsina12 · April 19, 2026, 1:58pm

Hi Nick ,

Welcome to the Forum!

Looked through the 17.3.0 release notes and a few auth-related PRs stand out :

AllowConcurrentLogins enforcement for members #21940 & #21928 separated and enforced this setting for members. It may be invalidating the session after OnTokenValidated, explaining why ClaimsPrincipal is authenticated but HttpContext.User is not.
OAuth token exchange changes #22097 & #22087 touched the /token flow which could affect external logins.
OIDC sign-out changes #21952 may have had side effects on the sign-in pipeline.

Worth checking Umbraco:CMS:Security:AllowConcurrentLogins in your appsettings try setting it to true for members and see if that helps. If confirmed as the cause, raising a GitHub issue referencing the PRs above would be the next step.

EssCee · April 19, 2026, 2:01pm

In addition to the above I would also ensure `sign-in’ is also part of the reserved paths

justin-nevitech · April 20, 2026, 5:45am

Hi @Laundryman

A few things you can try:

Turn the Microsoft.AspNetCore.Authentication.OpenIdConnect and Microsoft.AspNetCore.Authentication.Cookies levels to Debug. That may give you more clues to the issue.

In devtools, check the /signin-oidc response for a Set-Cookie on the member external scheme, then check whether the browser sends it on the next hop. Missing on /signin-oidc means something is failing before sign-in. Set but not sent back points at SameSite, domain or scheme validation.

I can’t see it raised on GitHub yet, so worth opening one if it does turn out to be a regression.

Justin

Laundryman · April 21, 2026, 10:11am

I tried changing Umbraco:CMS:Security:AllowConcurrentLogins to true, but it did not make any difference.

Laundryman · April 21, 2026, 10:42am

I have managed to get some debug info, though I’m not sure how useful it is.

The first two are just the site loading the landing page and showing the login prompt

It then handles the login and receives the token successfully, and shows it’s signed in ( I think that’s what that means) and then line 8, it’s not authenticated

?

justin-nevitech · April 22, 2026, 8:47pm

Hi @Laundryman

It may be worth seeing if you can reproduce this on a clean 17.3.0 instance just to rule everything else out. If it definitely did work on 17.2.2 but not 17.3.0 and you can provide a working example then raise it as an issue here:

Justin