From 8aba9527cbc9725739534f8d70136c0d85c24724 Mon Sep 17 00:00:00 2001 From: kjac Date: Mon, 24 Nov 2025 15:22:45 +0100 Subject: [PATCH 1/3] Add documentation for backoffice authentication updates --- .../setup/upgrading/version-specific/README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/17/umbraco-cms/fundamentals/setup/upgrading/version-specific/README.md b/17/umbraco-cms/fundamentals/setup/upgrading/version-specific/README.md index 165e29e52a5..4b9385ae2cb 100644 --- a/17/umbraco-cms/fundamentals/setup/upgrading/version-specific/README.md +++ b/17/umbraco-cms/fundamentals/setup/upgrading/version-specific/README.md @@ -174,6 +174,18 @@ The default value of the `UseHttps` configuration in [Global Settings](../../../ If you _need_ to run Umbraco without HTTPS, make sure to update `appsettings.json` accordingly. +**Authentication for the backoffice client** + +Following [this draft RFC from IETF](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps), the backoffice client authentication has been changed to tighten security. + +This change _only_ affects the backoffice client authentication against the Management API. API user authentication against the Management API remains unaffected, as does the Delivery API. + +This change _might_ affect custom backoffice extensions that interact with the Management API. All fetch requests to the Management API must include credentials by declaring `credentials: 'include'`. + +By default, backoffice extensions built using the HQ package starter template are not affected. + +For more details on this update see the following PRs: [#20779](https://github.com/umbraco/Umbraco-CMS/pull/20779) and [#20820](https://github.com/umbraco/Umbraco-CMS/pull/20820). + **Updated dependencies** As is usual for a major upgrade, Umbraco’s dependencies have been updated to their latest compatible versions. From 668c83d7f714ed54f68b97f85aad6cd1275400cd Mon Sep 17 00:00:00 2001 From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com> Date: Tue, 25 Nov 2025 09:59:06 +0100 Subject: [PATCH 2/3] Apply suggestions --- .../fundamentals/setup/upgrading/version-specific/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/17/umbraco-cms/fundamentals/setup/upgrading/version-specific/README.md b/17/umbraco-cms/fundamentals/setup/upgrading/version-specific/README.md index 4b9385ae2cb..353cdbd278d 100644 --- a/17/umbraco-cms/fundamentals/setup/upgrading/version-specific/README.md +++ b/17/umbraco-cms/fundamentals/setup/upgrading/version-specific/README.md @@ -176,15 +176,15 @@ If you _need_ to run Umbraco without HTTPS, make sure to update `appsettings.jso **Authentication for the backoffice client** -Following [this draft RFC from IETF](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps), the backoffice client authentication has been changed to tighten security. +Following this draft [Request for Comments (RFC) from the Internet Engineering Task Force (IETF)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps), the backoffice client authentication has been changed to tighten security. -This change _only_ affects the backoffice client authentication against the Management API. API user authentication against the Management API remains unaffected, as does the Delivery API. +This change affects _only_ the backoffice client authentication against the Management API. API user authentication against the Management API remains unaffected, as does the Delivery API. This change _might_ affect custom backoffice extensions that interact with the Management API. All fetch requests to the Management API must include credentials by declaring `credentials: 'include'`. By default, backoffice extensions built using the HQ package starter template are not affected. -For more details on this update see the following PRs: [#20779](https://github.com/umbraco/Umbraco-CMS/pull/20779) and [#20820](https://github.com/umbraco/Umbraco-CMS/pull/20820). +For more details on this update, see the following PRs: [#20779](https://github.com/umbraco/Umbraco-CMS/pull/20779) and [#20820](https://github.com/umbraco/Umbraco-CMS/pull/20820). **Updated dependencies** From 7157c96b878beffcf560d29212116dce659bad51 Mon Sep 17 00:00:00 2001 From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com> Date: Tue, 25 Nov 2025 09:59:39 +0100 Subject: [PATCH 3/3] Apply suggestion --- .../fundamentals/setup/upgrading/version-specific/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/17/umbraco-cms/fundamentals/setup/upgrading/version-specific/README.md b/17/umbraco-cms/fundamentals/setup/upgrading/version-specific/README.md index 353cdbd278d..b94dacab2ae 100644 --- a/17/umbraco-cms/fundamentals/setup/upgrading/version-specific/README.md +++ b/17/umbraco-cms/fundamentals/setup/upgrading/version-specific/README.md @@ -176,7 +176,7 @@ If you _need_ to run Umbraco without HTTPS, make sure to update `appsettings.jso **Authentication for the backoffice client** -Following this draft [Request for Comments (RFC) from the Internet Engineering Task Force (IETF)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps), the backoffice client authentication has been changed to tighten security. +Following the draft [Request for Comments (RFC) from the Internet Engineering Task Force (IETF)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps), the backoffice client authentication has been changed to tighten security. This change affects _only_ the backoffice client authentication against the Management API. API user authentication against the Management API remains unaffected, as does the Delivery API.