Identityserver4: implementing passwordless login through customization of idsrv

Created on 4 Nov 2016 · 7Comments · Source: IdentityServer/IdentityServer4

Hi, is it possible to implement a passwordless login with custom grant and a custom login view?

By passwordless I mean that by visiting the custom login view and specifying your email, idsrv sends you an email with a magic link containing a TOTP, clicking the magic link goes to the custom grant validator and after validating the TOTP, idsrv redirects you to the client application.

Is that a scenario that can be supported through customization/extension of idsrv?

thanks,
Stephane

question

Source

stombeur

Most helpful comment

@stombeur maybe might be helpful https://github.com/Jurabek/IdentityServer4.PhoneNumberAuth

Jurabek on 26 Feb 2018

❤1 👍1

All 7 comments

I think so, in fact what you do for authentication a user is up to you.

What you could do is:

in the AccountController.Login (GET) let the user enter his email address.
Be sure to keep a reference to the returnUrl, this is the url that you should redirect to when a user is authenticated (it links to /connect/authorize/login?...)
Send the user a link with your TOTP and let it link to a custom action in your AccountController
In that action validate the TOTP and redirect then to the previous returnUrl and voila, the user is logged in. Similar to how AccountController.Login (POST) works

That's how I would do it.

khelben on 4 Nov 2016

@khelben thanks for your answer. I did manage to leave out that I'm currently on v3 with no immediate plans of moving to v4 though. So I'm not sure that solution is 100% applicable to v3?

stombeur on 4 Nov 2016

So why are you posting here then?