public async Task <IActionResult> Login(LoginInputModel model, string button)
{
// check if we are in the context of an authorization request
var context = await _interaction.GetAuthorizationContextAsync(model.ReturnUrl);
// the user clicked the "cancel" button
if (button != "login")
{
if (context != null)
{
// if the user cancels, send a result back into IdentityServer as if they
// denied the consent (even if this client does not require consent).
// this will send back an access denied OIDC error response to the client.
await _interaction.GrantConsentAsync(context, ConsentResponse.Denied);
// we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
if (await _clientStore.IsPkceClientAsync(context.ClientId))
{
// if the client is PKCE then we assume it's native, so this change in how to
// return the response is for better UX for the end user.
return(View("Redirect", new RedirectViewModel {
RedirectUrl = model.ReturnUrl
}));
}
return(Redirect(model.ReturnUrl));
}
else
{
// since we don't have a valid context, then we just go back to the home page
return(Redirect("~/"));
}
}
if (ModelState.IsValid)
{
var result = await _signInManager.PasswordSignInAsync(model.Username, model.Password, model.RememberLogin, lockoutOnFailure : true);
if (result.Succeeded)
{
var user = await _userManager.FindByNameAsync(model.Username);
await _events.RaiseAsync(new UserLoginSuccessEvent(user.UserName, user.Id, user.UserName));
if (context != null)
{
if (await _clientStore.IsPkceClientAsync(context.ClientId))
{
// if the client is PKCE then we assume it's native, so this change in how to
// return the response is for better UX for the end user.
return(View("Redirect", new RedirectViewModel {
RedirectUrl = model.ReturnUrl
}));
}
// we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
return(Redirect(model.ReturnUrl));
}
// request for a local page
if (Url.IsLocalUrl(model.ReturnUrl))
{
return(Redirect(model.ReturnUrl));
}
else if (string.IsNullOrEmpty(model.ReturnUrl))
{
return(Redirect("~/"));
}
else
{
// user might have clicked on a malicious link - should be logged
throw new Exception("invalid return URL");
}
}
await _events.RaiseAsync(new UserLoginFailureEvent(model.Username, "invalid credentials"));
ModelState.AddModelError(string.Empty, AccountOptions.InvalidCredentialsErrorMessage);
}
// something went wrong, show form with error
var vm = await BuildLoginViewModelAsync(model);
return(View(vm));
}
public async Task <IActionResult> Login(LoginInputModel model, string button)
{
if (button != "login")
{
// the user clicked the "cancel" button
var context = await _interaction.GetAuthorizationContextAsync(model.ReturnUrl);
if (context != null)
{
// if the user cancels, send a result back into IdentityServer as if they
// denied the consent (even if this client does not require consent).
// this will send back an access denied OIDC error response to the client.
await _interaction.GrantConsentAsync(context, ConsentResponse.Denied);
// we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
return(Redirect(model.ReturnUrl));
}
else
{
// since we don't have a valid context, then we just go back to the home page
return(Redirect("~/"));
}
}
if (ModelState.IsValid)
{
// validate username/password against in-memory store
if (UserRepository.AreUserCredentialsValid(model.Username, model.Password))
{
var user = UserRepository.GetUserByUsername(model.Username);
var userClaims = UserRepository.GetUserClaimsBySubjectId(user.SubjectId);
var mobileClaim = userClaims.FirstOrDefault(p => p.ClaimType == "mobile");
if (mobileClaim != null)
{
// Perform two factor authentication.
var id = new ClaimsIdentity();
id.AddClaim(new Claim(JwtClaimTypes.Subject, user.SubjectId));
await HttpContext.SignInAsync("idsrv.2FA", new ClaimsPrincipal(id)); // this creates a cookie with this new scheme "idsrv.2FA";
// Send a verification code to the user. One option might be sending a code to the user's email address.
// Another option is sending code to a text message on user's mobile.
// For demo purposes, we're going to fake this and accept 123 as the correct code.
var message = $"Hello {model.Username} !! Welcome to IdentityServer deep dive demo.";
var result = _smsSender.SendSmsAsync(mobileClaim.ClaimValue, message);
var redirectToAdditionalFactorUrl = Url.Action("AdditionalAuthenticationFactor",
new
{
returnUrl = model.ReturnUrl, // pass in the current returnUrl so we can continue where we left off after validating the second factor.
rememberLogin = model.RememberLogin // whethere or not we'll need to create a persistent cookie when signing into IdentityServer.
});
if (_interaction.IsValidReturnUrl(model.ReturnUrl) || Url.IsLocalUrl(model.ReturnUrl))
{
return(Redirect(redirectToAdditionalFactorUrl));
}
return(Redirect("~/"));
}
#region Perform normal sigle factor authentication (these are original code)
await _events.RaiseAsync(new UserLoginSuccessEvent(user.Username, user.SubjectId, user.Username));
// only set explicit expiration here if user chooses "remember me".
// otherwise we rely upon expiration configured in cookie middleware.
AuthenticationProperties props = null;
if (AccountOptions.AllowRememberLogin && model.RememberLogin)
{
props = new AuthenticationProperties
{
IsPersistent = true,
ExpiresUtc = DateTimeOffset.UtcNow.Add(AccountOptions.RememberMeLoginDuration)
};
}
;
// issue authentication cookie with subject ID and username
await HttpContext.SignInAsync(user.SubjectId, user.Username, props);
// make sure the returnUrl is still valid, and if so redirect back to authorize endpoint or a local page
// the IsLocalUrl check is only necessary if you want to support additional local pages, otherwise IsValidReturnUrl is more strict
if (_interaction.IsValidReturnUrl(model.ReturnUrl) || Url.IsLocalUrl(model.ReturnUrl))
{
return(Redirect(model.ReturnUrl));
}
return(Redirect("~/"));
#endregion
}
await _events.RaiseAsync(new UserLoginFailureEvent(model.Username, "invalid credentials"));
ModelState.AddModelError("", AccountOptions.InvalidCredentialsErrorMessage);
}
// something went wrong, show form with error
var vm = await BuildLoginViewModelAsync(model);
return(View(vm));
}