Hi there @ak2426!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

Hi @ak2426 👋

Thanks for reaching out! I was able to reproduce it, we will have a look 🙂

One thing though, can you clarify why are you running dotnet run --urls "http://0.0.0.0:80" and then expecting to access http://host.example.com/umbraco/login?

Hi @ak2426 👋

Thanks for reaching out! I was able to reproduce it, we will have a look 🙂

Thanks!

One thing though, can you clarify why are you running dotnet run --urls "http://0.0.0.0:80" and then expecting to access http://host.example.com/umbraco/login?

The host.example.com is just an example; you can pretend it's any hostname on the LAN. Obviously, you want a webserver to be network accessible, not just on localhost. So 0.0.0.0 will bind to all network interfaces, not just localhost.

In our current setup we have Umbraco running on 2 servers behind a load balancer (F5), which also takes care of HTTPS. We need Umbraco to be accessible in this way because F5 uses the hostname + port.

Hi @ak2426

Looking through this, you may be hitting a few different issues.

code_challenge is missing
I haven't seen this error before, but it could happen if the authorization request didn't come from the backoffice, i.e. if you went directly to the login screen on /umbraco/login and tried to log in. The Backoffice client needs to form a correct handshake in its local storage before attempting a login due to the PKCE addition to OpenId. Therefore if you access /umbraco first, it can form the correct code challenge for the login screen.

Are you still seeing the error if you do that?

Accessing Umbraco from another host
Umbraco stores the first request it gets as its' application URL. It then takes that information and marks that host as an allowed redirect URL in the login provider. From the looks of it, you are not hitting this error specifically, but it may be worth it for you to specifically set your backoffice host URL in appsettings.json. You can do it like this:

{
  "Umbraco": {
    "CMS": {
       "Security": {
         "BackOfficeHost": "http://host.example.com"
       }
    [the rest]
  }
}

This might help alleviate any confusion running Umbraco in a place where it can't see its real host, for example in a Docker environment.

Hi @iOvergaard, unfortunately neither suggestion fixed the problem. In fact, navigating to http://localhost and clicking "Open Umbraco" now gives a new error:

error:invalid_request
error_description:The specified 'redirect_uri' is not valid for this client application.
error_uri:https://documentation.openiddict.com/errors/ID2043

@ak2426 The BackOfficeHost parameter must match the one you are accessing Umbraco from. However, Umbraco should be able to resolve any relative requests, so there might be something we need to look into.

Another note, if you want to use regular HTTP, you need to ensure the UseHttps option is false (see more here #16614).

Any Update on this ?
I Have Put this

"BackOfficeHost": "http://host.example.com"

and this to false : UseHttps

it did not work

I think (Think) it has something to do with cookies cross site with http

Had the same issue, I simply switched to HTTPS in my IIS and it worked
My domain was working on http://localhost:65322, however when i tried on http://mywebsite.local I was getting error "The mandatory 'code_challenge' parameter is missing"
I have used SSL Certificate 'IIS Express Development Certificate'. I believe this certificate was created through dotnet cmd

dotnet dev-certs https --trust

Had the same issue, I tried all the above solutions, but none of them worked.
While published build worked on my device(IIS), but not work on the other server.

any update on this ?

Update the web.config as shown below; it worked for me.

<system.webServer>
    <rewrite>
        <rules>
            <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                <match url="(.*)" />
                <conditions>
                    <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    <add input="{REQUEST_URI}" pattern="^.*/umbraco" negate="true" />
                </conditions>
                <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
            </rule>
        </rules>
    </rewrite>

    <modules runAllManagedModulesForAllRequests="false">
        <remove name="WebDAVModule" />
    </modules>

    <httpProtocol>
        <customHeaders>
            <clear />
            <add name="Access-Control-Expose-Headers " value="WWW-Authenticate"/>
            <add name="Access-Control-Allow-Origin" value="*" />
            <add name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS, PUT, PATCH, DELETE" />
            <add name="Access-Control-Allow-Headers" value="accept, authorization, Content-Type" />
            <remove name="X-Powered-By" />
        </customHeaders>
    </httpProtocol>
    <security>
        <requestFiltering>
            <requestLimits maxAllowedContentLength="524288000"/>
        </requestFiltering>
    </security>
</system.webServer>

I am getting this error too.
Upgraded from working 13.x to 14.latest.
I use the host file to redirect to 127.0.0.1 when debugging.
I only run http. None of the above suggestions works.

after some debugging , The Issue is resulted from PKCE when developing on a non https server.

so the fix for this would be simply if the configuration UseHttps is set to false we should not call this extension method
RequireProofKeyForCodeExchange() on ConfigureOpenIddict ==> AddUmbracoOpenIddict

Please take a look at this PR

#17319

hope you approve and merge it soon x)