Go to a different login page depending on the client requested URL

[ipeo]

Hi! I use Identity Server 4 with an Asp.Net core web app, two different web apps.

If a user request an authorize page on my client and is not authenticated, he will be redirected to the Identity server to the login page (/account/login).

What if I want to redirect a non-authenticated user to an OTHER login page on the identity server (example /account/loginTwo), based on specific Client scenario?

Example :

www.client.com/home -> redirects to www.identityserver.com/account/login www.client.com/homeTwo -> redirects to www.identityserver.com/account/loginTwo

Can we do such a thing?

[TomCJones]

The client creates the redirect. It has complete control of where the user signs in.

..Tom's phone

On Sep 22, 2017, at 12:46 PM, Pierre-Olivier Bonin notifications@github.com<mailto:notifications@github.com> wrote:

Hi! I user Identity Server 4 with an Asp.Nethttp://Asp.Net core web app, two different web apps.

If a user request an authorize page on my client and is not authenticated, he will be redirected to the Identity server to the login page (/account/login).

What if I want to redirect a non-authenticated user to an OTHER login page on the identity server (example /account/loginTwo), based on specific Client scenario?

Example :

www.client.com/homehttp://www.client.com/home -> redirects to www.identityserver.com/account/loginhttp://www.identityserver.com/account/login www.client.com/homeTwohttp://www.client.com/homeTwo -> redirects to www.identityserver.com/account/loginTwohttp://www.identityserver.com/account/loginTwo

Can we do such a thing?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/IdentityServer/IdentityServer4/issues/1554, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AKxq1rkmIKLxTWVYZR9xOkH6SZLRNSReks5slA51gaJpZM4PhJ8W.

[ipeo]

Yes but this is in the startup class, within the AddIdentityServer service. I already defined my principal login route there. But what if I want to specify an other route based on the current context of a client URL? Or how can I pass a parameter to the Identity server login controller so that I can re-route the user to the correct login page? Both login page to not have the same design based on where in the client you are coming from (return url)

[TomCJones]

add another piece of middleware which changes the response before it is sent. put some magic value in the redirect URL and change it on the way out.

---

From: Pierre-Olivier Bonin notifications@github.com Sent: Friday, September 22, 2017 1:04 PM To: IdentityServer/IdentityServer4 Cc: tom jones; Comment Subject: Re: [IdentityServer/IdentityServer4] Go to a different login page depending on the client requested URL (#1554)

Yes but this is in the startup class, within the AddIdentityServer service. I already defined my principal login route there. But what if I want to specify an other route based on the current context of a client URL? Or how can I pass a parameter to the Identity server login controller so that I can re-route the user to the correct login page? Both login page to not have the same design based on where in the client you are coming from (return url)

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/IdentityServer/IdentityServer4/issues/1554#issuecomment-331547440, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AKxq1v1GsfACX6CMODAEjT86BpoTQnp1ks5slBK6gaJpZM4PhJ8W.

[TomCJones]

another way to do this is in the _loginpartial page. Add logic there to select. You have lots of options.

---

From: Tom Jones Sent: Friday, September 22, 2017 1:09 PM To: IdentityServer/IdentityServer4 Subject: Re: [IdentityServer/IdentityServer4] Go to a different login page depending on the client requested URL (#1554)

add another piece of middleware which changes the response before it is sent. put some magic value in the redirect URL and change it on the way out.

---

From: Pierre-Olivier Bonin notifications@github.com Sent: Friday, September 22, 2017 1:04 PM To: IdentityServer/IdentityServer4 Cc: tom jones; Comment Subject: Re: [IdentityServer/IdentityServer4] Go to a different login page depending on the client requested URL (#1554)

Yes but this is in the startup class, within the AddIdentityServer service. I already defined my principal login route there. But what if I want to specify an other route based on the current context of a client URL? Or how can I pass a parameter to the Identity server login controller so that I can re-route the user to the correct login page? Both login page to not have the same design based on where in the client you are coming from (return url)

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/IdentityServer/IdentityServer4/issues/1554#issuecomment-331547440, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AKxq1v1GsfACX6CMODAEjT86BpoTQnp1ks5slBK6gaJpZM4PhJ8W.

[ipeo]

So I did some research, what I actually want to do is pass an acr_value param to my IDP login controller, so I can select which Login view I want to show to the current user. I use the [Authorize] on my controller. Should I replace this attribute with an AuthorizeRequest in my action method to be able to change the returnUrl passed to the IDP? Because I tried this solution but the returnUrl is not in the same format as my [Authorize] attribute. Am I I on the right path?

[brockallen]

Why don't you have your login page read acr_values and then decide what to show? What's the real-world use case for this requirement, BTW?

[ipeo]

@brockallen Well, my question was how to pass those acr_values from the client to the IDP. I managed to make it work by removing the [Authorize] tag on my action controller, and by calling a new AuthorizeRequest instead. This way I can control WHEN to add arc_values when accessing the controller action.

A real-world use case would be, for instance, different login pages to get to a specific action controller method. Imagine a CMS secured page managed by an admin. The admin wants to invite a user to also manage the page. The user has different claims and roles. The user will receive an invitation URL referring to that page, but when using the link, he will be redirected to a register/login page having the info of page his trying to access, Like the title and the owner (the admin name). Admin has a more generic Login page.

So technically, the way a user and an admin access this page, like the login page, is not the same, or at least, is showing different info to the user.

By design, I had to tell the IDP page which scenario to use: An admin wants to access the page or a user.

So would you say my implementation for this scenario is good?

[ipeo]

Admin wants to access localhost:3000/home/secure, gets redirect to IDP localhost:3001/account/login.

User wants to access localhost:3000/home/secure?invitation=true, gets redirect to IDP localhost:3001/account/loginUser.

So inlocalhost:3000/home/secure, that's where I need to put some arc_values based on the invitation param to tell the IDP where to redirect. Didn't know how to intercept the returnUrl only with the [Authorize] tag. That's why I removed it on the action method and called a new AuthorizeRequest instead

[brockallen]

my question was how to pass those acr_values from the client to the IDP

this is up to the client OIDC library you're using. check their docs.

as for your real world scenarios, it's still not clear why different user types would have different login pages.

[TomCJones]

real-world sites run into this all the time. It is often called "branding". It is almost always handled with URLs. It has little to do with the identity server, altho a branded redirect would also be helpful.

[brockallen]

branding is different than different login logic. i'm not clear why the login page can't simply do the check it needs to and then either render something different, or redirect again somewhere else. IOW, the login page is the right place in our design for adding this custom logic, IMO.

[TomCJones]

that it the best place for it.

[ipeo]

Guys this is just an example. The real issue is not if there’s 1 or 2 login pages. The issue is how do we pass ace_values to the IDP, from the client, if the client uses [Authorize] attributes...

[brockallen]

ace_values to the IDP, from the client, if the client uses [Authorize] attributes...

I already said above:

this is up to the client OIDC library you're using. check their docs.

[ipeo]

I look deeper into it thank you!

[surya19876]

Hi, I am new to IdentityServer4 and I want to know how it is redirected to account/login by default. I have written my own AccountController and provided login action. But it is not redirected over there. Can anyone explain, why is it happening?

[jwasily]

@surya19876
You can configure the identityserver default Login URL in the startup by passing the following option in the .AddIdentityServer services.AddIdentityServer(options => options.UserInteraction.LoginUrl = "Controller/action")

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.