Hi all,
I’m working with Umbraco 17 and a custom OpenID Connect provider. I’m seeing a backoffice login loop where the OIDC flow completes successfully, but the backoffice session is never finalised.
I’ve narrowed this down quite a bit but would appreciate confirmation on where the final handoff should occur.
Observed Behaviour
When accessing:
/umbraco/management/api/v1/security/back-office/authorize
The OIDC challenge is initiated correctly.
The callback endpoint:
/umbraco-signin-oidc
Successfully exchanges the code for tokens.
Issues UmbracoExternalCookie.
The external principal is valid (sub/nameidentifier present, claims mapped).
However:
No UmbracoBackOffice cookie is issued.
/authorize returns 302 → /umbraco/login.
The login loop continues.
Network Flow (simplified)
/umbraco/login
Redirect to OIDC provider
/umbraco-signin-oidc → 302
/umbraco/management/api/v1/security/back-office/authorize?..
302 → /umbraco/login
Cookie State (Chrome DevTools → Application → Cookies)
Present:
UmbracoExternalCookie (valid, contains principal)
Missing:
Backoffice session cookie
Server-Side Diagnostics
Authentication scheme dump shows:
UmbracoBackOffice (CookieAuthenticationHandler)
UmbracoExternalCookie
UmbracoBackOfficeExposed
Identity.Application
Custom OIDC scheme
JWT scheme
Diagnostics confirm:
AuthenticateAsync(“UmbracoExternalCookie”) succeeds.
AuthenticateAsync(“UmbracoBackOffice”) does not succeed.
No Set-Cookie header is emitted during /authorize.
Working Hypothesis
It appears the external ticket → backoffice session handoff is not occurring during /authorize.
One observation is that during /authorize, the default authentication scheme was resolving to Identity.Application, which may be interfering with the backoffice sign-in step.
Attempted explicitly setting:
PostConfigure(o =>
{
o.DefaultAuthenticateScheme = “UmbracoBackOffice”;
o.DefaultChallengeScheme = “UmbracoBackOffice”;
o.DefaultSignInScheme = “UmbracoBackOffice”;
});
but this did not result in the backoffice cookie being issued.
Questions
In Umbraco 17, which component is responsible for converting the UmbracoExternalCookie principal into the UmbracoBackOffice session cookie?
Does /management/api/v1/security/back-office/authorize rely on specific default authentication schemes?
Are there known interactions if ASP.NET Core Identity is also registered in the same application?
Is there a recommended way to debug or hook into the final backoffice sign-in step?
At this point, the OIDC handshake itself appears correct; the issue seems isolated to the final backoffice session creation.
Any guidance would be appreciated.
Thanks in advance.