Latest from the umbraco blog RSS Feed for the Umbraco Blog

We're more transparent than glass. Follow us on twitter and our blog.


Tuesday, July 26, 2016 by Sebastiaan Janssen

A little over a year ago we released the Identity Extensions for Umbraco and the accompanying extensions for allowing login with for example Google, and Facebook or any other OAuth based provider. We always talk about how easy they are to set up and use, but how easy is that really?

In this real-life example, we have two things:

  • a Google Apps account for a domain
  • an Umbraco website for which we want all Google Apps users in our organization to be able to log into the backoffice

As the first step, we need to ask Google for a ClientId and a secret by creating an OAuth client and give us some secret keys for that. Below is a short video that shows how to set this up. 

Once you have the ClientId and secret from the Google OAuth integration you go to you Umbraco Visual Studio solution and install 2 NuGet Packages:

Install-Package UmbracoCms.IdentityExtensions
Install-Package UmbracoCms.IdentityExtensions.Google

A few readme files will pop up to tell you what to do with the new files that are now present in your App_Start folder. The most important one is UmbracoStandardOwinStartup.cs which will need to know about the Google ClientId and secret. In this example, they will be read from the web.config, where they're stored as appSettings.

var clientId = WebConfigurationManager.AppSettings["GoogleOAuthClientID"];
var secret = WebConfigurationManager.AppSettings["GoogleOAuthSecret"];
app.ConfigureBackOfficeGoogleAuth(clientId, secret);

In order for the Umbraco Backoffice to know that we can now also log in with a Google account, we need to change the owin:appStartup appSetting to:

<add key="owin:appStartup" value="UmbracoStandardOwinStartup" />

After doing this, we can log in to Umbraco with our existing Umbraco account and link that account to a Google login.

Once you click on "Link your Google account" you will be taken to Google and can link any account you want. From that point forward you can use the Google button on the login screen to log into the backoffice!

Nice.. but a little cumbersome too, we still need to create a local account first and then link it to a Google account. What if we wanted to allow all people on our Google Domains account in by default?

When you installed the NuGet packages you also received a UmbracoGoogleAuthExtensions.cs file in your App_Start folder which we can alter a little bit. Just before the last line of code (app.UseGoogleAuthentication(googleOptions);) in this class we can set it up to automatically create an Umbraco account for anybody using the Google button to sign in.

	new ExternalSignInAutoLinkOptions(
		autoLinkExternalAccount: true, 
		defaultUserType: "admin", 
		defaultAllowedSections: new[] { "content", "media", "settings", "developer", "users", "member" }));

By default, if we don't change the defaultUserType and defaultAllowedSections, a new user would be created as an editor and would only have access to the content/media section. But in the example above, more access is granted because we trust users in our domain.

Speaking of domains.. doing the above will give anybody in the world(!) with a Google account access to our backoffice. That's probably not what you want unless you like a bit of chaos in your life.

So as our final step, we need to only allow people in who's email ends with our actual domain name. In UmbracoGoogleAuthExtensions.cs we define a variable googleOptions in which we can add the following, just after the "CallbackPath":

CallbackPath = new PathString("/umbraco-google-signin"),

Provider = new GoogleOAuth2AuthenticationProvider
	OnAuthenticated = context =>
		if (context.Email.EndsWith("") || context.Email.EndsWith(""))
			// All good, return as usual
			return Task.FromResult(0);

		// Whoa, this one doesn't belong in our backoffice, throw exception, this will return a nulled out Auth Ticket
		var errorMessage = string.Format("User tried to log in with {0}, which does not end with an accepted domain name.", context.Email);
		throw new AuthenticationException(errorMessage);

Looks good, right? Not so fast! What if someone made a email address like.. The e-mail address still ends with so they will be let in as well. So we change it to:

var emailParts = context.Email.Split('@');
if (emailParts.Last() == "" || emailParts.Last() == "")

Much better!

That's all there is to it:

  • Enable OAuth in your Google account
  • Install the UmbracoCms.IdentityExtensions & UmbracoCms.IdentityExtensions.Google NuGet packages
  • Update UmbracoStandardOwinStartup.cs with the ClientId and secret you got from Google
  • Set the owin:appStartup appSetting in web.config to UmbracoStandardOwinStartup 
  • Update UmbracoGoogleAuthExtensions.cs to auto-link accounts and limit that to logins from your domain only

This is exactly what we've done for Our Umbraco, if you want to check out the code, have a look at the following two commits:

Note: The "Link your Google account" button has a bug in Umbraco 7.4 and 7.5 beta which can be fixed as follows:

Monday, July 18, 2016 by Sebastiaan Janssen

Today, we're happy to anounce the second (and last) beta version of Umbraco 7.5.0. Your valuable feedback on the first beta has been very helpful in making version 7.5.0 even better than it already was. Thank you so much for your bug reports and your pull requests!

Here's a list of changes made between beta1 and beta2. Some of the notable changes, apart from some great bug fixes, are that the new package installer UI has been improved, and that we've made significant improvements to boost the performance of the XML cache, which also uses less memory.

We've made two major changes which we want to validate with the community before putting the "final" stamp on this release:

  • ImageProcessor was to the latest version, which could have significant impact for upgraders depending on what features you're using from ImageProcessor
  • We changed quite a few things regarding 301 URL tracking for which database changes are necessary


Following up on a much appreciated push from Kevin Giszewski and from our friends at Perplex we helped updating a known security issue with ImageProcessor. The problem was that you could send ImageProcessor any querystring and it would be processed, generated a new image and served it. Perplex even started seeing someone abusing this by them simply increasing a parameter by 1, so for example "?blur=100", "?blur=101", "?blur=102", etc.

It became painfully obvious that processing those requests that came in in fast succession quickly maxed out the CPU of the server (blurring is quite a heavy operation). To add insult to injury, all of those processed images get stored too so they are rapidly filling up the server's disk.

A few measure were taken to limit the impact of such an attack.

First of all, by default, ImageProcessor will no longer respond to any processing requests unless they are of the types:

  • AutoRotate
  • BackgroundColor
  • Crop
  • Format
  • Quality
  • Resize

So when you upgrade to Umbraco 7.5.0 and your image urls look like "product.jpg?blur=100", then after the upgrade your product image will no longer have a blur on it. This also goes for processors like Flip, Mask, Saturation, Watermark, etc. So the only processors that are still active by default are the ones listed above.

If you wish to re-enable some of the other processors you will need to install the NuGet package ImageProcessor.Web.Config and enable the processors you need in the configuration file.

The other change is that there's now a "ValidatingRequest" event you can hook into. This event allows you to "massage" any of the requests to ImageProcessor to your own liking. So if you'd want to never allow any requests to change BackgroundColor, you can cancel that from the event. Similarly if you have a predefined set of crops that are allowed, you could make sure that no other crop sizes will be processed than those ones you have defined ahead of time.

These changes have been made through significant effort by Shannon and James South, the creator of ImageProcessor. We very much appreciate and applaud the efforts and the help from the other people involved in the issue thread who helped puzzle together the best possible solution for everybody. These efforts show how open source and collaboration between community members can really shine and make our software better for everyone.

With these changes, we believe we've found a "happy medium" of not breaking everything but also not allowing the most processor intensive operations to run by default. If you're concerned about this for your sites right now, you should consider validating each request using anti forgery tokens in the ValidatingRequest event mentioned earlier. We'll blog about exactly how you could do this in a future blog post before 7.5.0 ships as a final release. Alternatively, CloudFlare is also great at detecting and fending off these types of attacks. This would be an easy code-free way of defending your site against any kind of denial of service attack.

In the future, we're thinking of adding a few more restrictions, for example only allowing the crops to be generated that you've pre-defined on your cropper datatype in Umbraco. We're still trying to think of solutions for responsive images however. Feedback is welcome!

We are awaiting your feedback however, we've tried to keep the solution as flexible as possible and made some painful decisions and we're willing to be challanged on those decisions. Please add your comments on the ImageProcessor issue for this if you have any concerns.

URL tracking

In order to make Courier deployments work with URL tracking, we needed to change a column in the database. For us to do that we will need to drop all your data from the UmbracoRedirectUrl table. If you're already relying on this data then make sure to take a backup of it. The change consists of storing the contentKey (the GUID of the content item) instead of storing the integer contentId.

Get it now

We're very excited for this release, the beta version from a few weeks ago has proven to be very stable and a joy to use. We'll give it another few weeks for people to test this second beta but we're confident that we won't need to change much more before we put the "final" stamp of approval on this release.

Make sure to download 7.5.0-beta2, or do a NuGet upgrade. Update your existing site and give it a spin. We would love to hear your feedback!

Friday, July 15, 2016 by vera


A case study by WebVizion ApS

Saniona is a research and development company focused on drugs for diseases of the central nervous system, autoimmune diseases, metabolic diseases and treatment of pain. With Sanionas 2016 launch on the Nasdaq, it was important that their website could easily and seamlessly present relevant investor and trading information. 

What we were challenged to solve

Saniona's existing website was built on a Wordpress template, which limited design, performance and implementation of Nasdaq press releases, charts and content. We moved Saniona to Umbraco as a Service in order to free the site of such limitations, and ensure that important shareholder and financial information could be presented in a manner that communicated sophistication, quality and professionalism.

How we solved it

The project requirements were sent to our designer, who could design freely without sticking to a theme. The completed designs were passed to our front-end developer and finally everything was implemented in Umbraco CMS. With Umbraco as a Service we could make something unique on a professional platform, and found it raised the bar in quality and stability over the previous free-theme site. This was important for Saniona and their position in the market.

What we gained from it

A fully editable website that can be updated easily by the Saniona staff in real-time alongside market activity. The site enabled pixel perfect implementation of custom design.



Tuesday, July 12, 2016 by vera

Ready - reset - re-trial!


We want you to experience how great Umbraco as a Service is and therefore we offer you a free 14-day trial! This is however not breaking news…the breaking news is that you are now able to take another trial of UaaS as we have reset all previous email addresses.

Already trialled UaaS? Want to try it out again using the same email address? Well, please do!

In your free trial period you’ll get to experience all the great benefits from Umbraco as a Service - try to set up your own project, test the smooth deployment, add team members to your project - all by the click of a few buttons. One of the greatest benefits from using UaaS is that you, as a developer, will get more time on your hands as we have automated various workflows for you and made others more simple. As an editor or a client, you will enjoy the freedom to work on your content alongside development. See your site come to life in real-time as you collaborate, test and revise - shortening your project durations and your time to market! Basically, with UaaS you all get more time to work on more fun stuff or time to enjoy an extra cup of guilt-and-stress-free coffee - the tastiest kind!

With UaaS you get the well-known benefits from Umbraco such as the highest degree of CMS flexibility in development and our friendly and global developer-to-developer community with some extra nice cherries on top...or beneath, so to speak:    

All-in-one Hosting

Enjoy state-of-the-art managed hosting on Microsoft Azure and save time on IT tasks. Be free from server setup, version upgrades, and painful deployments as this is all reliably automated.


BaselineFlow allows you to reuse existing project components with one-click rather than repetitive project setup. This ensures consistency and quality across sites, and helps accurately predict project cost and time.


Our nimble ContentFlow process improves team collaboration as seamless editing and publishing of content can occur alongside feature development, in separate environments.


Want to understand how ContentFlow in UaaS works? Watch Rune explain all about it in this video

After your trial (or your re-trial) you can set up your project on a single environment for just €25/month! But first - let’s do the trial and if you have any questions along the way, don’t worry - we have our best and friendliest support guys ready to guide your through the process and answer any of your questions. Ready - set - trial!

If you’re interested in participating in the new UaaS referral program - a program we believe will suit your demands even better as well as your customers’ AND give you a recurring referral fee. Contact Anders ( for more information about the UaaS referral program.  

Tuesday, July 12, 2016 by Andrew Barta

We have officially launched the newest 1-day, skills focused training on Integrating Applications with Umbraco. Jeremy Newman from PaperWise is one of the first certified developers through this course. He works daily on integrating his companies Document Management System with Umbraco. Let him tell you about the benefits of attending an Umbraco Masterclass and hopefully we'll see you at the next one!

Attendee: Jeremy Newman
Company: PaperWise
Course(s) Attended: Boulder – May 2016

  • Fundamentals
  • MVC and Umbraco
  • Extending the Umbraco Backoffice
  • The brand new Application Integrations

Position: Software Engineer -
Jeremy has been a Software Engineer for about 16 years. He has worked at Paperwise for the last two and a half. In his years of web development, he has worked with other CMS solutions such as DNN and SharePoint. He started working with Umbraco when he joined PaperWise and has been working with it for just over two years.

For starters can you tell us a little about PaperWise and what your company does?
PaperWise is the name of the company and it's also the name of our main suite of products.  We provide software and technology solutions that enable organizations to improve efficiency through applications that expedite workflow processes.  We have a wide variety of services and products; our company is many things to different people. Among our capabilities is custom application development – anything from windows apps to web apps. 

As an experienced web developer that had worked with Umbraco before the masterclass, how did you like the course? What were some of your takeaways?
As someone who has been to several training courses throughout the years, I thought this training was great. Normally, I’ll go to a training course with certain exceptions of what I will learn, and I often leave disappointed. Either the training didn’t go deep enough into the material, or they missed things that I really wanted to dive into. This was different; the material covered and the quality of the training was superb. Additionally, I was happy with how deeply we dove into material such as the editor experience and integrations one-day courses. While there is a lot of information out there online, it isn't necessarily in an easy to consume format. In my opinion it was well worth the money, well worth the time and it was a lot quicker than if I had to go out there and learn it on my own. I was really happy and am really looking forward to what classes you might have in the future.

Not just the class content but talking with the other participants was great too. The collaborative training atmosphere works really well. There were tons of people with tons of knowledge in there. One other thing that I wish I had realized at the time, was that I was reading a Skrift article before attending the training and it was all about using gulp and grunt tasks to automate package creation. When I got back to the office I realized the article I was reading, was written by Tom Fulton who I met after the Masterclass at the Umbraco meetup. I didn’t realize when I met him that he was the one that wrote the article! I ended up talking to him quite a bit and he was probably sitting there thinking, “this guy has read my articles” since I was telling the same things he had already written. Pretty funny, but it was a great unexpected benefit to the training.

Would you suggest the training to a colleague or other web developer/designer?
Oh yeah, most definitely. I would say it almost needs to be a requirement if you're really serious about working with Umbraco. You're going to gain contacts outside of your company that you can reach out to about Umbraco related topics. On top of all the valuable content and material we went over, taking this training is a no brainer.   

Specifically, around the brand new one day courses how did you like the structure (MVC, Editor Experience, Application Integrations)? What were some of your takeaways?
Well in regards to the MVC course, it was great seeing all the ways you could integrate Umbraco with MVC and how things crossed over was really beneficial.

For the Application Integration course content wise, everything was great. The workbook was well structured as well. Recognizing the scenarios to use the different type of integrations was really helpful. For example, in our scenario from class I was thinking of the ways to integrate with Umbraco and at first we had talked about creating a custom property editor but now I realize the other options to let that data exist outside of Umbraco and pull it in using one of the techniques we learned. Essentially if that data isn't stored in Umbraco now I know I can still utilize it from that third party source.

Here at PaperWise, I believe Umbraco is going to be our platform of choice whenever we are building portals for people but we need to be able to support other CMS systems and the integrations course helped me understand a lot of how we might actually do that. Specifically talking about route hijacking and being able to bring in an MVC controller and view then telling Umbraco not to mess with the routing for that. Probably all of the things we covered we will end up using in what we are doing, so yeah, it was great. It played exactly into what I've been working on and planning.

Why do you enjoy using Umbraco?
I've had exposure to other CMS systems and so far I find Umbraco to be the easiest to use. I guess when I say easy, I mean it pretty much stays out of your way. You don't have to jump through a lot of hoops to develop things for Umbraco. I like the way everything is setup with Document Types and macros etc. Other CMS systems have similar concepts but none of them were as refined or easy to use as Umbraco. The composition concept is awesome. Moving away from an inheritance structure for the document types was an awesome move and I really like that capability.

There is that aspect of it, but also as much as I don't have to build HTML elements because of things like the grid editor and all the content capability it means I get more time to develop things.

It's a nice content management system with services that a developer could use on the backend. At the end of the day you're developing web apps with the content management system to back you up so you don't have to create that yourself. And the fact that you don't have to jump through hoops for that is huge. For example, with SharePoint you can point-and-click build things but a lot of times if you build them through the web interface or through their designer there are certain capabilities that you can’t take advantage of. This isn't the case with Umbraco. 


As always we want to extend a big thank you to Jeremy and PaperWise for taking the time to let us know about his experience with the new Masterclasses. If you or your team would like to follow in Jeremy's footsteps and sharpen your Umbraco skills, sign up for a course near you.