leastprivilege
commented
4 years ago What mechanism do you want to use instead - and what is wrong with cookies for that particular purpose?
Closed jez9999 closed 4 years ago
leastprivilege
commented
4 years ago What mechanism do you want to use instead - and what is wrong with cookies for that particular purpose?
jez9999
commented
4 years ago I want the login page to POST back a token/credentials (or maybe put in query string) to /connect/authorize/callback so no cookie is needed.
jez9999
commented
4 years ago The problem with cookies is that the cookie stays around in the session, so there's no way to prevent the browser from silently bypassing the login screen without explicitly clearing cookies from the browser (I don't want to set limited time cookies either because I consider that a hack; too easy to make the time too short or too long).
leastprivilege
commented
4 years ago There is an extensibility point that controls if the login screen gets shown. Regardless of an existing session or not.
jez9999
commented
4 years ago Really? Could you point me to it please?
leastprivilege
commented
4 years ago jez9999
commented
4 years ago That generator is registered in .AddIdentityServer() and passed in through DI. How do I get my version to be passed in instead?
leastprivilege
commented
4 years ago you just register it in DI after you called AddIdentityServer
jez9999
commented
4 years ago OK. I've been looking at that class, though; there's no way for the code to know whether it was invoked as a result of /connect/authorize or /connect/authorize/callback. How is my code supposed to make the distinction? I'm guessing I'll need something like "if you're not being invoked from the callback URL, always redirect to login".
leastprivilege
commented
4 years ago ProcessLoginAsync is only called on the way in. Not on the callback.
jez9999
commented
4 years ago I'm debugging it, and it's getting called on the way in, and by the callback. The callback endpoint handler awaits ProcessAuthorizeRequestAsync:
Then AuthorizeEndpointBase awaits ProcessInteractionAsync in the interaction generator:
Which (unless consent was denied) calls ProcessLoginAsync:
jez9999
commented
4 years ago @leastprivilege Any further updates on this? If there were a way for me to get it to display the login each time, it would be ideal.
stale[bot]
commented
4 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.
stale[bot]
commented
4 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.
diogonborges
commented
3 years ago Any news on this? We have a similar need on our setup to support login via mobile app which has the all the cookies disabled.
github-actions[bot]
commented
3 years ago This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
IdentityServer4 doesn't have proper support for cookieless login. If you set your default authentication scheme to your own custom one, it logs the warning "Authentication scheme {scheme} is configured for IdentityServer, but it is not a scheme that supports signin (like cookies). If you support interactive logins via the browser, then a cookie-based scheme should be used."
In addition, the code crashes in LoginPageResult.cs when it calls
AddQueryStringbecuase options likeLoginReturnUrlParameterget set by the cookie auth middleware. Non-cookie auth isn't a first class citizen and it should be.