Upgraded site yields 401 and no redirect on /umbraco

kasparboelkjeldsen · November 19, 2025, 12:42pm

I am running out of ideas. I’ve upgraded a site from v13 to v16.3 and got almost everything working just fine. However, if I am not logged in / have a cookie for the backoffice, and I visit /umbraco I am correctly challenged with a 401, but no redirect happens.

If I visit /umbraco/login and do a login everything works fine, and /umbraco works as expected afterwards.

The actual url I end up stuck at is:

(https)://localhost:44338/umbraco/management/api/v1/security/back-office/authorize?redirect_uri=https%3A%2F%2Flocalhost%3A44338%2Fumbraco%2Foauth_complete&client_id=umbraco-back-office&response_type=code&state=QCUX34VgF8&scope=offline_access&prompt=consent&access_type=offline&code_challenge=8byUzw6s-6ly8_gwvZ4bwEsUqu0tqb1aNVCInZcnJuc&code_challenge_method=S256

I’ve debugged everything I can think of, slimming the solution down to not having any other
.AddAuthentication at all .

select * from umbracoOpenIddictApplications where ClientId = ‘umbraco-back-office’

in the database yields correct redirect urls
[“https://localhost:44338/umbraco/oauth_complete","https://localhost:44338/umbraco/logout”\\]
[“https://localhost:44338/umbraco/oauth_complete”\\]

Debugging BackofficeController.Authorizse results in a DefaultChallengeResponse which is the correct kind.

I have a feeling I’m missing something super simple here, but I am running out of ideas.

sebastiaan · November 19, 2025, 12:54pm

Not sure I understand, these reproduction steps are unclear to me:

You’re not logged in AND don’t have a cookie? You’re not logged in but have a cookie?

Additionally, I can’t make out if you’re doing something special with your auth since you said

What does your Program.cs look like? Standard one for v16 is:

WebApplicationBuilder builder = WebApplication.CreateBuilder(args);

builder.CreateUmbracoBuilder()
    .AddBackOffice()
    .AddWebsite()
    .AddComposers()
    .Build();

WebApplication app = builder.Build();

await app.BootUmbracoAsync();


app.UseUmbraco()
    .WithMiddleware(u =>
    {
        u.UseBackOffice();
        u.UseWebsite();
    })
    .WithEndpoints(u =>
    {
        u.UseBackOfficeEndpoints();
        u.UseWebsiteEndpoints();
    });

await app.RunAsync();

I’ve never seen this error from your screenshot but something very similar looking was fixed in:

github.com/umbraco/Umbraco-CMS

Login: Ensures the user is not stuck on redirect or white page after successful log in

main ← v16/bugfix/unwarranted-redirect-after-auth

opened 09:40AM - 19 Aug 25 UTC

iOvergaard

+50 -21

## Description Fixes #17642 Fixes #18334 Fixes #19750 This pull reque…st refines the OAuth authorization flow in the backoffice app, improving both the handling and redirection logic after authentication. The main focus is to ensure users are redirected to their intended location after completing OAuth, and to improve error handling and code clarity. Key changes include updating the authorization completion logic to return more informative results, centralizing redirect logic, and improving error feedback. ### OAuth flow and redirect improvements * Updated the OAuth completion route setup in `UmbAppElement` to use an async function, handle errors more gracefully, and redirect users to their previous path or root after authorization using the new `redirectToStoredPath` utility. [[1]](diffhunk://#diff-2ca57cfd62ecdfd35669364c2b717e3339baadff442ccf9905342785e8494909L64-R64) [[2]](diffhunk://#diff-2ca57cfd62ecdfd35669364c2b717e3339baadff442ccf9905342785e8494909R79-L98) * Replaced the use of `retrieveStoredPath` with the new `redirectToStoredPath` function for more consistent and centralized redirect behavior. [[1]](diffhunk://#diff-2ca57cfd62ecdfd35669364c2b717e3339baadff442ccf9905342785e8494909L22-R22) [[2]](diffhunk://#diff-36323b7f9234453169cd7a819341ccca9daa057fe0611d1bc092ce8743e22b01R33-R48) ### Authorization request handler enhancements * Changed the return type of `completeAuthorizationRequestIfPossible` in `AuthorizationRequestHandler` to return an `AuthorizationRequestResponse | null` instead of `void`, allowing for more informative handling of the authorization result. ### Utility function addition * Added the `redirectToStoredPath` function to centralize and standardize the logic for redirecting users after authentication, replacing previous ad-hoc implementations. ## How to test *Unwarranted redirects* 1. Log in and go to somewhere in the backoffice (does not matter where) 2. Open a new tab with middle-click (so that the window.opener is activated) 3. Check that the first tab does not redirect *Stuck on oauth_complete* 1. Log in 2. Go back in the browser so you hit the login screen 3. Log in again 4. You should now see a redirect to /oauth_complete, then to the backoffice (it may happen twice because the first try invalidates the existing session, which is expected) 5. Verify that you at no point get stuck on /oauth_complete without any response or indication

So if you’re doing something additional with your auth or something maybe report that as an issue, linking to this PR?
Also note your actual version, I am assuming 16.3.4 - if not make sure you’re up to that version at least.

kasparboelkjeldsen · November 19, 2025, 1:06pm

Sorry if it wasn’t coherent enough.

Put simply: If I boot up umbraco and open /umbraco in incognito, I will end up in the state described above.
401 challenge response correctly hit, but no redirect to /umbraco/login, so you never get prompted to log in. You are just stuck.

Actual version is 16.3.4 so latest non-preview version.

We do have our own authentication for a headless frontend running through OpenID, but having completely removed anything to do with authentication from the solution while testing, I still get the same error.

Program.cs is un-eventfull

using REDACTED.umbraco.extensions.UmbracoBuilder;
using REDACTED.umbraco.Feature.Forms.Models;
using Microsoft.ApplicationInsights.Extensibility;
using Umbraco.Cms.Api.Common.DependencyInjection;
using Umbraco.Cms.Core;
using Umbraco.Cms.Core.DeliveryApi;
using Umbraco.extensions.preview;

WebApplicationBuilder builder = WebApplication.CreateBuilder(args);

builder.Services.AddHttpContextAccessor();
builder.Services.AddControllers().AddJsonOptions(Constants.JsonOptionsNames.DeliveryApi, options => options.JsonSerializerOptions.MaxDepth = 64);
builder.Services.AddHttpClient();
builder.Services.Configure<PreviewSettings>(builder.Configuration.GetSection("PreviewSettings"));
builder.Services.Configure<JobOrderIntegrationSettings>(builder.Configuration.GetSection("JobOrderIntegrationSettings"));
var serverRole = builder.Configuration.GetValue<string>("Umbraco:SERVER_ROLE");

builder.AddApplicationInsights();

builder.CreateUmbracoBuilder()
    .AddBackOffice()
    .AddWebsite()
    .AddDeliveryApi()
    .AddComposers()
    .SetServerRegistrar(serverRole ?? "Single")
    .AddAzureBlobMediaFileSystem()
    .AddAzureBlobImageSharpCache()
    .Build();

WebApplication app = builder.Build();

var telemetryConfiguration = app.Services.GetRequiredService<TelemetryConfiguration>();

await app.BootUmbracoAsync();

app.UseUmbraco()
    .WithMiddleware(u =>
    {
        u.UseBackOffice();
        u.UseWebsite();
    })
    .WithEndpoints(u =>
    {
        u.UseBackOfficeEndpoints();
        u.UseWebsiteEndpoints();
    });

await app.RunAsync();

Other than that we do our own implementation of IRequestMemberAccessService and IApiAccessService, but as these have nothing to do with the login I won’t share the code.

– and a small update

Booting up with the standard program.cs yields the same thing.

sebastiaan · November 19, 2025, 1:15pm

Can you try 2 more out there things:

Run on Kestrel instead of IIS (just dotnet run in the website project)
Change the port number in your launchSettings.. maybe something is cached that even still applies to private windows, not sure what.. but as I said, it’s a bit out there

patrickdemooij9 · November 19, 2025, 1:18pm

I think I’ve had this issue happen, but I didn’t check if it would work if I logged in with /umbraco/login. In my case it got fixed when I added the WebRouting.UmbracoApplicationUrl & Security.BackOfficeHost. Not sure if it is the exact same issue, but might be worth a try?

sebastiaan · November 19, 2025, 1:20pm

Good memory! We did have problems before 16.3.0 which then necessitated this kind of workaround but those are fixed since 16.3.0.

Just as a sanity check @kasparboelkjeldsen I tried with a clean 16.3.4 install and the scenario works for me.

I am leaning towards something in some of your custom code, but not sure what. If you’re doing anything with custom controllers, routing, user/member attributes on those controllers.. that could be suspicious too.

kasparboelkjeldsen · November 19, 2025, 1:22pm

Same deal with Kestrel and different port.

They are set up in my appsettings.Development.json with

"WebRouting": {
    "UmbracoApplicationUrl": "https://localhost:44339/"
},
"Security": {
    "BackOfficeHost": "https://localhost:44339/"
},

And I’ve cleared -everything- from openDict in the DB as well for good measure before starting up

delete from umbracoOpenIddictApplications
delete from umbracoOpenIddictAuthorizations
delete from umbracoOpenIddictScopes
delete from umbracoOpenIddictTokens

sebastiaan · November 19, 2025, 1:25pm

Very strange.. what is that full URL in your address bar?

kasparboelkjeldsen · November 19, 2025, 2:48pm

Just returning to make sure there is an answer, because I figured it out.

I did a completely fresh umbraco install and hooked to the same database to verify it had to be solution specific.

Our grand plan was to upgrade to 16, let 17 stew for a little bit and then do the jump to 17, so the csproj is set to .net10 …

Returning to .net9 solved the error.

And setting the blank umbraco project to run with .net10 recreated the error

TLDR; We were running Umbraco 16 on .net10, and apparently that works with everything we’ve tried, except this.