Identityserver4: Partial logins

Partial Login? Please be more specific about this.

Two Step Login, Do you mean Two Step Verification?

In IdSrv3 you have the option to partially login the user and do some more validation on another page for example before fully signing in the user. This functionality does not look to be straight forward in IdSrv4.

My scenario:
I am using implicit flow and once the user enters username / password if the user's password has expired I want them to reset their password before fully signing them in. There are many ways to do this, in IdSrv3 I used partial logins to achieve this and I am in the process of upgrading to IdSrv4 but can't seem to find a way to do this.

Is there a way to do partial logins or 2 step logins in IdSrv4 ?

The programming model is different for IdSvr4 compared to IdSvr3: http://docs.identityserver.io/en/release/topics/signin.html#login-workflow

It's somewhat similar to Two Step Verification. The difference is that instead of verifying an OTP, the user needs to update the password.

See this example

if (result.RequiresTwoFactor) { return RedirectToAction(nameof(LoginWith2fa), new { returnUrl, model.RememberMe }); }

Similarly , You can for password exipiration and redirect to change password page.

Would this men a custom sign in manager for this as the default one doesn't support it?

I had a similar flow set up using a custom flow in core 1.x using the example here https://stackoverflow.com/questions/40609585/how-to-do-multiple-step-login-in-identityserver4#40609586 but I can't get this working in 2.0 now.

I don't know if this is any help.

Thanks Brock Allen. Got it to work now.

For everyone who wants to do this, here's how. FYI, this is based on .net core 2.0

In Startup.ConfigureServices

// Custom auth to support multi level login during expired password process
services.AddAuthentication().AddCookie(CustomConstants.PartialLogin);

In Startup.Configure
app.UseAuthentication();

In AccountController.Login

await HttpContext.SignInAsync(
                            scheme: CustomConstants.PartialLogin,
                            properties: props,
                            principal: new ClaimsPrincipal(new ClaimsIdentity(claims)));

Then you can redirect to another page, and on that MVC action

var authResult = await HttpContext.AuthenticateAsync(CustomConstants.PartialLogin);
var user = authResult.Principal;
if (!authResult.Succeeded || authResult.Ticket.AuthenticationScheme != CustomConstants.PartialLogin)
{
// todo
}

Then once you completed this task, for full login

// Sign out of partial login scheme
await HttpContext.SignOutAsync(CustomConstants.PartialLogin);

// Sign in to IDS scheme
await HttpContext.SignInAsync(dbUser.Subject.ToString(), props, claims);

Sorry to bump this almost 8 months later, but can you elaborate on this for multiple checks @aaabdul ? In that, If I want to do multiple partial logins for multiple reasons, is it indeed possible (eula + reset password in my case)... IdSrv3 used a call within the UserService called PostAuthenticateLocalAsync where we could consolidate the logic for multiple use cases here.

I have not used PostAuthenticateLocalAsync but I am using the above approach for multiple partial logins. I needed support for more than one authentication step (eg: memorable word, pin, OTP, etc.). This is possible by using the claims to maintain current auth state. In the above solution before full-sign in for each of your partial steps you can add a claim and logout and log back in to the partial cookie auth.

Ok, thanks. I'll give it an attempt and see where I wind up.

@aaabdul was looking for a solution for this all over, thanks a lot, works perfectly!

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.