diff --git a/src/Umbraco.Web.UI/Umbraco/Views/AuthorizeUpgrade.cshtml b/src/Umbraco.Web.UI/Umbraco/Views/AuthorizeUpgrade.cshtml
index ac0b453bdb..dcad153fce 100644
--- a/src/Umbraco.Web.UI/Umbraco/Views/AuthorizeUpgrade.cshtml
+++ b/src/Umbraco.Web.UI/Umbraco/Views/AuthorizeUpgrade.cshtml
@@ -51,7 +51,15 @@
 
     <umb-notifications></umb-notifications>
 
-    @Html.BareMinimumServerVariables(Url, (string)ViewBag.UmbracoPath)
+    @{
+        var externalLoginUrl = Url.Action("ExternalLogin", "BackOffice", new
+        {
+            area = ViewBag.UmbracoPath, 
+            //Custom redirect URL since we don't want to just redirect to the back office since this is for authing upgrades
+            redirectUrl = Url.Action("AuthorizeUpgrade", "BackOffice")
+        });
+    }
+    @Html.BareMinimumServerVariables(Url, externalLoginUrl)
 
     @Html.AngularExternalLoginInfoValues((IEnumerable<string>)ViewBag.ExternalSignInError)
 
diff --git a/src/Umbraco.Web.UI/umbraco/Views/Default.cshtml b/src/Umbraco.Web.UI/umbraco/Views/Default.cshtml
index a0c6bd225e..63a8688301 100644
--- a/src/Umbraco.Web.UI/umbraco/Views/Default.cshtml
+++ b/src/Umbraco.Web.UI/umbraco/Views/Default.cshtml
@@ -66,7 +66,7 @@
 
     <umb-notifications></umb-notifications>
 
-    @Html.BareMinimumServerVariables(Url, (string)ViewBag.UmbracoPath)
+    @Html.BareMinimumServerVariables(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewBag.UmbracoPath }))
 
     @Html.AngularExternalLoginInfoValues((IEnumerable<string>)ViewBag.ExternalSignInError)
     
diff --git a/src/Umbraco.Web/Editors/BackOfficeController.cs b/src/Umbraco.Web/Editors/BackOfficeController.cs
index fe60eb647e..0313dd868f 100644
--- a/src/Umbraco.Web/Editors/BackOfficeController.cs
+++ b/src/Umbraco.Web/Editors/BackOfficeController.cs
@@ -63,27 +63,9 @@ namespace Umbraco.Web.Editors
         /// <returns></returns>
         public async Task<ActionResult> Default()
         {
-            ViewBag.UmbracoPath = GlobalSettings.UmbracoMvcArea;
-
-            //check if there's errors in the TempData, assign to view bag and render the view
-            if (TempData["ExternalSignInError"] != null)
-            {
-                ViewBag.ExternalSignInError = TempData["ExternalSignInError"];
-                return View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml");
-            }
-
-            //First check if there's external login info, if there's not proceed as normal
-            var loginInfo = await OwinContext.Authentication.GetExternalLoginInfoAsync(
-                Core.Constants.Security.BackOfficeExternalAuthenticationType);
-
-            if (loginInfo == null)
-            {
-                return View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml");
-            }
-
-            //we're just logging in with an external source, not linking accounts
-            return await ExternalSignInAsync(loginInfo);
-
+            return await RenderDefaultOrProcessExternalLoginAsync(
+                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml"),
+                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml"));
         }
 
         /// <summary>
@@ -92,11 +74,13 @@ namespace Umbraco.Web.Editors
         /// </summary>
         /// <returns></returns>      
         [HttpGet]
-        public ActionResult AuthorizeUpgrade()
+        public async Task<ActionResult> AuthorizeUpgrade()
         {
-            ViewBag.UmbracoPath = GlobalSettings.UmbracoMvcArea;
-
-            return View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/AuthorizeUpgrade.cshtml");
+            return await RenderDefaultOrProcessExternalLoginAsync(
+                //The default view to render when there is no external login info or errors
+                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/AuthorizeUpgrade.cshtml"),
+                //The ActionResult to perform if external login is successful
+                () => Redirect("/"));
         }
 
         /// <summary>
@@ -422,11 +406,15 @@ namespace Umbraco.Web.Editors
         }
         
         [HttpPost]
-        public ActionResult ExternalLogin(string provider)
+        public ActionResult ExternalLogin(string provider, string redirectUrl = null)
         {
+            if (redirectUrl == null)
+            {
+                redirectUrl = Url.Action("Default", "BackOffice");
+            }
+
             // Request a redirect to the external login provider
-            return new ChallengeResult(provider,
-                Url.Action("Default", "BackOffice"));
+            return new ChallengeResult(provider, redirectUrl);
         }
 
         [UmbracoAuthorize]
@@ -466,9 +454,42 @@ namespace Umbraco.Web.Editors
             return RedirectToLocal(Url.Action("Default", "BackOffice"));
         }
 
-        private async Task<ActionResult> ExternalSignInAsync(ExternalLoginInfo loginInfo)
+        /// <summary>
+        /// Used by Default and AuthorizeUpgrade to render as per normal if there's no external login info, otherwise
+        /// process the external login info.
+        /// </summary>
+        /// <returns></returns>
+        private async Task<ActionResult> RenderDefaultOrProcessExternalLoginAsync(Func<ActionResult> defaultResponse, Func<ActionResult> externalSignInResponse)
+        {
+            if (defaultResponse == null) throw new ArgumentNullException("defaultResponse");
+            if (externalSignInResponse == null) throw new ArgumentNullException("externalSignInResponse");
+
+            ViewBag.UmbracoPath = GlobalSettings.UmbracoMvcArea;
+
+            //check if there's errors in the TempData, assign to view bag and render the view
+            if (TempData["ExternalSignInError"] != null)
+            {
+                ViewBag.ExternalSignInError = TempData["ExternalSignInError"];
+                return defaultResponse();
+            }
+
+            //First check if there's external login info, if there's not proceed as normal
+            var loginInfo = await OwinContext.Authentication.GetExternalLoginInfoAsync(
+                Core.Constants.Security.BackOfficeExternalAuthenticationType);
+
+            if (loginInfo == null)
+            {
+                return defaultResponse();
+            }
+
+            //we're just logging in with an external source, not linking accounts
+            return await ExternalSignInAsync(loginInfo, externalSignInResponse);
+        }
+
+        private async Task<ActionResult> ExternalSignInAsync(ExternalLoginInfo loginInfo, Func<ActionResult> response)
         {
             if (loginInfo == null) throw new ArgumentNullException("loginInfo");
+            if (response == null) throw new ArgumentNullException("response");
 
             // Sign in the user with this external login provider if the user already has a login
             var user = await UserManager.FindAsync(loginInfo.Login);
@@ -493,8 +514,8 @@ namespace Umbraco.Web.Editors
                     Response.Cookies[Core.Constants.Security.BackOfficeExternalCookieName].Expires = DateTime.MinValue;    
                 }
             }
-            
-            return View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml");
+
+            return response();
         }
 
         private async Task SignInAsync(BackOfficeIdentityUser user, bool isPersistent)
diff --git a/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs b/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs
index dbb79443d9..e43cd21a0e 100644
--- a/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs
+++ b/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs
@@ -19,13 +19,16 @@ namespace Umbraco.Web
         /// </summary>
         /// <param name="html"></param>
         /// <param name="uri"></param>
-        /// <param name="umbracoPath"></param>
+        /// <param name="externalLoginsUrl">
+        /// The post url used to sign in with external logins - this can change depending on for what service the external login is service.
+        /// Example: normal back office login or authenticating upgrade login
+        /// </param>
         /// <returns></returns>
         /// <remarks>
         /// These are the bare minimal server variables that are required for the application to start without being authenticated,
         /// we will load the rest of the server vars after the user is authenticated.
         /// </remarks>
-        public static IHtmlString BareMinimumServerVariables(this HtmlHelper html, UrlHelper uri, string umbracoPath)
+        public static IHtmlString BareMinimumServerVariables(this HtmlHelper html, UrlHelper uri, string externalLoginsUrl)
         {
             var str = @"<script type=""text/javascript"">
                 var Umbraco = {};
@@ -34,7 +37,7 @@ namespace Umbraco.Web
                     ""umbracoUrls"": {
                         ""authenticationApiBaseUrl"": """ + uri.GetUmbracoApiServiceBaseUrl<AuthenticationController>(controller => controller.PostLogin(null)) + @""",
                         ""serverVarsJs"": """ + uri.GetUrlWithCacheBust("ServerVariables", "BackOffice") + @""",
-                        ""externalLoginsUrl"": """ + uri.Action("ExternalLogin", "BackOffice", new {area = umbracoPath}) + @"""
+                        ""externalLoginsUrl"": """ + externalLoginsUrl + @"""
                     },
                     ""application"": {
                         ""applicationPath"": """ + html.ViewContext.HttpContext.Request.ApplicationPath + @"""
diff --git a/src/Umbraco.Web/Security/Identity/AuthenticationDescriptionOptionsExtensions.cs b/src/Umbraco.Web/Security/Identity/AuthenticationDescriptionOptionsExtensions.cs
deleted file mode 100644
index 47ad1b4310..0000000000
--- a/src/Umbraco.Web/Security/Identity/AuthenticationDescriptionOptionsExtensions.cs
+++ /dev/null
@@ -1,31 +0,0 @@
-using Microsoft.Owin.Security;
-using Umbraco.Core;
-
-namespace Umbraco.Web.Security.Identity
-{
-    public static class AuthenticationDescriptionOptionsExtensions
-    {
-        /// <summary>
-        /// Configures the properties of the authentication description instance for use with Umbraco back office
-        /// </summary>
-        /// <param name="options"></param>
-        /// <param name="style"></param>
-        /// <param name="icon"></param>
-        public static void ForUmbracoBackOffice(this AuthenticationOptions options, string style, string icon)
-        {
-            Mandate.ParameterNotNullOrEmpty(options.AuthenticationType, "options.AuthenticationType");
-
-            //Ensure the prefix is set
-            if (options.AuthenticationType.StartsWith(Constants.Security.BackOfficeExternalAuthenticationTypePrefix) == false)
-            {
-                options.AuthenticationType = Constants.Security.BackOfficeExternalAuthenticationTypePrefix + options.AuthenticationType;    
-            }
-
-            options.Description.Properties["SocialStyle"] = style;
-            options.Description.Properties["SocialIcon"] = icon;
-
-            //flag for use in back office
-            options.Description.Properties["UmbracoBackOffice"] = true;
-        }
-    }
-}
\ No newline at end of file
diff --git a/src/Umbraco.Web/Security/Identity/AuthenticationOptionsExtensions.cs b/src/Umbraco.Web/Security/Identity/AuthenticationOptionsExtensions.cs
new file mode 100644
index 0000000000..43b995bb06
--- /dev/null
+++ b/src/Umbraco.Web/Security/Identity/AuthenticationOptionsExtensions.cs
@@ -0,0 +1,67 @@
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+using Umbraco.Core;
+using Umbraco.Core.Logging;
+
+namespace Umbraco.Web.Security.Identity
+{
+    public static class AuthenticationOptionsExtensions
+    {
+        /// <summary>
+        /// Configures the properties of the authentication description instance for use with Umbraco back office
+        /// </summary>
+        /// <param name="options"></param>
+        /// <param name="style"></param>
+        /// <param name="icon"></param>
+        /// <param name="callbackPath">
+        /// This is important if the identity provider is to be able to authenticate when upgrading Umbraco. We will try to extract this from
+        /// any options passed in via reflection since none of the default OWIN providers inherit from a base class but so far all of them have a consistent
+        /// name for the 'CallbackPath' property which is of type PathString. So we'll try to extract it if it's not found or supplied.
+        /// 
+        /// If a value is extracted or supplied, this will be added to an internal list which the UmbracoModule will use to allow the request to pass
+        /// through without redirecting to the installer.
+        /// </param>
+        public static void ForUmbracoBackOffice(this AuthenticationOptions options, string style, string icon, string callbackPath = null)
+        {
+            Mandate.ParameterNotNullOrEmpty(options.AuthenticationType, "options.AuthenticationType");
+
+            //Ensure the prefix is set
+            if (options.AuthenticationType.StartsWith(Constants.Security.BackOfficeExternalAuthenticationTypePrefix) == false)
+            {
+                options.AuthenticationType = Constants.Security.BackOfficeExternalAuthenticationTypePrefix + options.AuthenticationType;    
+            }
+
+            options.Description.Properties["SocialStyle"] = style;
+            options.Description.Properties["SocialIcon"] = icon;
+
+            //flag for use in back office
+            options.Description.Properties["UmbracoBackOffice"] = true;
+
+            if (callbackPath.IsNullOrWhiteSpace())
+            {
+                try
+                {
+                    //try to get it with reflection
+                    var prop = options.GetType().GetProperty("CallbackPath");
+                    if (prop != null && TypeHelper.IsTypeAssignableFrom<PathString>(prop.PropertyType))
+                    {
+                        //get the value
+                        var path = (PathString) prop.GetValue(options);
+                        if (path.HasValue)
+                        {
+                            UmbracoModule.ReservedPaths.TryAdd(path.ToString());
+                        }
+                    }
+                }
+                catch (System.Exception ex)
+                {
+                    LogHelper.Error(typeof (AuthenticationOptionsExtensions), "Could not read AuthenticationOptions properties", ex);
+                }
+            }
+            else
+            {
+                UmbracoModule.ReservedPaths.TryAdd(callbackPath);
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
index d0e5493474..ffaec48edd 100644
--- a/src/Umbraco.Web/Umbraco.Web.csproj
+++ b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -558,7 +558,7 @@
     <Compile Include="Scheduling\ILatchedBackgroundTask.cs" />
     <Compile Include="Scheduling\RecurringTaskBase.cs" />
     <Compile Include="Security\Identity\AppBuilderExtensions.cs" />
-    <Compile Include="Security\Identity\AuthenticationDescriptionOptionsExtensions.cs" />
+    <Compile Include="Security\Identity\AuthenticationOptionsExtensions.cs" />
     <Compile Include="Security\Identity\AuthenticationManagerExtensions.cs" />
     <Compile Include="Security\Identity\BackOfficeCookieManager.cs" />
     <Compile Include="Security\Identity\FormsAuthenticationSecureDataFormat.cs" />
diff --git a/src/Umbraco.Web/UmbracoModule.cs b/src/Umbraco.Web/UmbracoModule.cs
index 772573d164..1142775be6 100644
--- a/src/Umbraco.Web/UmbracoModule.cs
+++ b/src/Umbraco.Web/UmbracoModule.cs
@@ -1,5 +1,6 @@
 using System;
 using System.Collections;
+using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
@@ -31,8 +32,7 @@ namespace Umbraco.Web
 	//  Request.RawUrl is still there
 	// response.Redirect does?! always remap to /vdir?!
 
-	public class 
-        UmbracoModule : IHttpModule
+	public class UmbracoModule : IHttpModule
 	{
 		#region HttpModule event handlers
 
@@ -277,7 +277,7 @@ namespace Umbraco.Web
 		/// <param name="httpContext"></param>
 		/// <param name="uri"></param>
 		/// <returns></returns>
-		static bool EnsureDocumentRequest(HttpContextBase httpContext, Uri uri)
+		bool EnsureDocumentRequest(HttpContextBase httpContext, Uri uri)
 		{
 			var maybeDoc = true;
 			var lpath = uri.AbsolutePath.ToLowerInvariant();
@@ -311,7 +311,7 @@ namespace Umbraco.Web
 			// at that point, either we have no extension, or it is .aspx
 
 			// if the path is reserved then it cannot be a document request
-			if (maybeDoc && GlobalSettings.IsReservedPathOrUrl(lpath, httpContext, RouteTable.Routes))
+            if (maybeDoc && GlobalSettings.IsReservedPathOrUrl(lpath, httpContext, _combinedRouteCollection.Value))
 				maybeDoc = false;
 
 			//NOTE: No need to warn, plus if we do we should log the document, as this message doesn't really tell us anything :)
@@ -612,5 +612,42 @@ namespace Umbraco.Web
                 EndRequest(this, args);
         } 
         #endregion
+
+
+        /// <summary>
+        /// This is used to be passed into the GlobalSettings.IsReservedPathOrUrl and will include some 'fake' routes
+        /// used to determine if a path is reserved.
+        /// </summary>
+        /// <remarks>
+        /// This is basically used to reserve paths dynamically
+        /// </remarks>
+        private readonly Lazy<RouteCollection> _combinedRouteCollection = new Lazy<RouteCollection>(() =>
+        {
+            var allRoutes = new RouteCollection();
+            foreach (var route in RouteTable.Routes)
+            {
+                allRoutes.Add(route);
+            }
+            foreach (var reservedPath in ReservedPaths)
+            {
+                try
+                {
+                    allRoutes.Add("_umbreserved_" + reservedPath.ReplaceNonAlphanumericChars(""),
+                                new Route(reservedPath.TrimStart('/'), new StopRoutingHandler()));
+                }
+                catch (Exception ex)
+                {
+                    LogHelper.Error<UmbracoModule>("Could not add reserved path route", ex);
+                }
+            }
+
+            return allRoutes;
+        }); 
+
+        /// <summary>
+        /// This is used internally to track any registered callback paths for Identity providers. If the request path matches
+        /// any of the registered paths, then the module will let the request keep executing
+        /// </summary>
+        internal static readonly ConcurrentHashSet<string> ReservedPaths = new ConcurrentHashSet<string>();
 	}
 }