From 976146b46ed09cc80909e7189f438fd30ce2959c Mon Sep 17 00:00:00 2001
From: Bjarke Berg <mail@bergmania.dk>
Date: Mon, 29 Apr 2024 11:54:39 +0200
Subject: [PATCH] Persist claims from OnExternalLogin event (#16180)

* This fix ensures the claims added doing OnExternalLogin is persisted in the OpenIddict tokens

* Update comment

* Tiniest bit of formatting

---------

Co-authored-by: kjac <kja@umbraco.dk>
---
 .../Security/BackOfficeController.cs          | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Security/BackOfficeController.cs b/src/Umbraco.Cms.Api.Management/Controllers/Security/BackOfficeController.cs
index a4f466e58c..e49b13af30 100644
--- a/src/Umbraco.Cms.Api.Management/Controllers/Security/BackOfficeController.cs
+++ b/src/Umbraco.Cms.Api.Management/Controllers/Security/BackOfficeController.cs
@@ -374,12 +374,9 @@ public class BackOfficeController : SecurityControllerBase
                 // Update any authentication tokens if succeeded
                 await _backOfficeSignInManager.UpdateExternalAuthenticationTokensAsync(loginInfo);
 
-                // sign in the backoffice user associated with the login provider and unique provider id
-                BackOfficeIdentityUser? backOfficeUser = await _backOfficeUserManager.FindByLoginAsync(loginInfo.LoginProvider, loginInfo.ProviderKey);
-                if (backOfficeUser != null)
-                {
-                    return await SignInBackOfficeUser(backOfficeUser, request);
-                }
+                // sign in the backoffice user from the HttpContext, as thas was set doing the ExternalLoginSignInAsync
+                ClaimsPrincipal backOfficePrincipal = HttpContext.User;
+                return await SignInBackOfficeUser(backOfficePrincipal, request);
             }
             else
             {
@@ -392,10 +389,8 @@ public class BackOfficeController : SecurityControllerBase
         return new ChallengeResult(provider, properties);
     }
 
-    private async Task<IActionResult> SignInBackOfficeUser(BackOfficeIdentityUser backOfficeUser, OpenIddictRequest request)
+    private async Task<IActionResult> SignInBackOfficeUser(ClaimsPrincipal backOfficePrincipal, OpenIddictRequest request)
     {
-        ClaimsPrincipal backOfficePrincipal = await _backOfficeSignInManager.CreateUserPrincipalAsync(backOfficeUser);
-
         Claim[] backOfficeClaims = backOfficePrincipal.Claims.ToArray();
         foreach (Claim backOfficeClaim in backOfficeClaims)
         {
@@ -411,5 +406,12 @@ public class BackOfficeController : SecurityControllerBase
         return new SignInResult(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme, backOfficePrincipal);
     }
 
+    private async Task<IActionResult> SignInBackOfficeUser(BackOfficeIdentityUser backOfficeUser, OpenIddictRequest request)
+    {
+        ClaimsPrincipal backOfficePrincipal = await _backOfficeSignInManager.CreateUserPrincipalAsync(backOfficeUser);
+
+        return await SignInBackOfficeUser(backOfficePrincipal, request);
+    }
+
     private static IActionResult DefaultChallengeResult() => new ChallengeResult(Constants.Security.BackOfficeAuthenticationType);
 }