Closed apuchkov closed 8 years ago
IdentityServer manages its own cookie. You'd not be using the OwinAuthenticationService if you were using MR with IdentityServer. You'd just use the APIs to validate credentials. See here: https://github.com/IdentityServer/IdentityServer3.MembershipReboot/blob/master/source/IdentityServer3.MembershipReboot/IdentityServer3.MembershipReboot.cs
Is it how you suggesting to use API to validate credentials:
userAccountService.Authenticate(account.Username, model.Password, out account);
?
It will only tell if credentials are valid or not, but won't sign user in, correct?
Is there some way to seamlessly sign user in (get a token from IdServ) without having him to enter credentials at IdServ?
It will only tell if credentials are valid or not, but won't sign user in, correct?
Correct -- IdSvr signs them in.
Is there some way to seamlessly sign user in (get a token from IdServ) without having him to enter credentials at IdServ?
To get tokens from IdSvr you need to authenticate.
Then I guess we have to sign user out after he changed his email and confirmed it. So he will have to re sign in via IdSvr and get updated email claim.
Thanks!
You can always re-issue the cookie at IdSvr with the IssueLoginCookie OWIN extension: https://identityserver.github.io/Documentation/docsv2/advanced/owin.html
Thanks a lot for pointing to IssueLoginCookie()
. It seems exactly what I need to get user authenticated at IdSvr without having him to reenter a password.
I will just need somehow to expose this method in IdSvr app, so I can call it from my user account app. Custom MVC endpoint will probably do the job.
I'm not sure if Register and Change Email flows work well when using OwinAuthenticationService with IdentityServer.
My app is based on SingleTenant sample, except it uses OwinAuthenticationService and authenticates via IdentityServer, which connected to MembershipReboot.
1. Registration Flow
When user confirms his email after registration he goes throught
authSvc.SignIn(account);
line in ChangeEmailController.cs, which redirects him to identity server before redirecting to success page. This is not ideal as user just entered his password to confirm his email and has to enter password again at IdentityServer again.Is there a way to authenticate user somehow in the background at this point, without having him to enter his username password at IdentityServer? We already know that who this user is anyway.
2. Change Email Flow
When user changes his email address and then confirms it, code step through the same line
authSvc.SignIn(account);
in ChangeEmailController.cs but in this case user is not redirected to IdentityServer, so he still has his old email address in a claim.Did I misconfigurate something or is it a bug?