Fix issue with autolinking external accounts. User should be automatically approved during autolink steps.

[d-gibbs]

Prerequisites

• [x] I have added steps to test this contribution in the description below

This PR fixes: https://github.com/umbraco/Umbraco-CMS/issues/12670

Description

There is an issue when using the 'auto-linking' feature for external accounts. https://our.umbraco.com/documentation/reference/security/auto-linking/

Newly linked accounts are created in an unapproved state e.g. IsApproved = false so they will hit 401 errors when redirected back to umbraco from the configured external login provider.

I believe accounts created through the autolinking process should be created with the IsApproved flag set to true.

My proposed change is simple adding this check to Umbraco.Cms.Web.BackOffice.Security.BackOfficeSignInManager

// Enable the user if not approved - user cannot sign in otherwise.
if (!autoLinkUser.IsApproved)
{
    autoLinkUser.IsApproved = true;
}

Just after the call to BackOfficeIdentityUser.CreateNew. https://github.com/umbraco/Umbraco-CMS/blob/c0c9c50e2110a88afab800abbf0e4a6b6a08c62d/src/Umbraco.Web.BackOffice/Security/BackOfficeSignInManager.cs#L235

Testing

You can test these changes by configuring an external login provider, e.g. Microsoft.AspNetCore.Authentication.OpenIdConnect and following the documentation for setting up autolinking, found here: https://our.umbraco.com/documentation/reference/security/auto-linking/

As an aside, the documentation around autolinking could also be updated to reflect the proper name and role claim type mappings, e.g:

 // map claims
 options.TokenValidationParameters.NameClaimType = "name";
 options.TokenValidationParameters.RoleClaimType = "role";

Should actually be:

 // map claims
 options.TokenValidationParameters.NameClaimType = ClaimTypes.Name;
 options.TokenValidationParameters.RoleClaimType = ClaimTypes.Role;

As the example given is for OpenIdConnect. The provider wont know how to find the name or role claims using those dummy values, this caught me and others out.

[github-actions[bot]]

Hi there @d-gibbs, thank you for this contribution! 👍

While we wait for one of the Core Collaborators team to have a look at your work, we wanted to let you know about that we have a checklist for some of the things we will consider during review:

• It's clear what problem this is solving, there's a connected issue or a description of what the changes do and how to test them
• The automated tests all pass (see "Checks" tab on this PR)
• The level of security for this contribution is the same or improved
• The level of performance for this contribution is the same or improved
• Avoids creating breaking changes; note that behavioral changes might also be perceived as breaking
• If this is a new feature, Umbraco HQ provided guidance on the implementation beforehand
• [x] 💡 The contribution looks original and the contributor is presumably allowed to share it

Don't worry if you got something wrong. We like to think of a pull request as the start of a conversation, we're happy to provide guidance on improving your contribution.

If you realize that you might want to make some changes then you can do that by adding new commits to the branch you created for this work and pushing new commits. They should then automatically show up as updates to this pull request.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

[bergmania]

Hi @d-gibbs.

I think your use case makes perfect sense, but I think we should add it as an option on ExternalSignInAutoLinkOptions.

[nul800sebastiaan]

Hey there @d-gibbs! It's been a while since we've heard from you. We'd love to keep going on this one but it seems like it doesn't fit in for you at the moment. In order to keep things tidy, we'll close this one for now. Please let us know when you can get back to it, we can either resurrect this PR or go for an attempt number 2! Thanks again for all your work on this and we hope to hear from you soon! 🙌