Home > Mobile >  ASP.NET Core IdentityServer4 - How can I use Client Login Page instead of IdentityServer Login Page?
ASP.NET Core IdentityServer4 - How can I use Client Login Page instead of IdentityServer Login Page?

Time:07-22

I have 2 API, 1 MVC Web App and IdentityServer App in my project.

Local ports :

IdentityServer : https://localhost:1000

API 1 : https://localhost:2000

API 2 : https://localhost:3000

Client : https://localhost:4000

In terms of MVC Web App, its Startup.cs Authentication service is like this;

services.AddAuthentication(_ =>
{
   DefaultScheme = "...";
   DefaultChallengeScheme = "oidc";
})
.AddCookie("...", options => options.AccessDeniedPath = "/home/accessdenied")
.AddOpenIdConnect("oidc", _ =>
{
   _.SignInScheme = "...";
   _.Authority = "https://localhost:1000";
   _.ClientId = "...";
   _.ClientSecret = "...";
   _.ResponseType = "code id_token";
   _.GetClaimsFromUserInfoEndpoint = true;

   _.SaveTokens = true;
   _.Scope.Add("offline_access");

   _.Scope.Add("...");
   _.Scope.Add("...");
   _.Scope.Add("...");
});

In MVC Web app, there is a Controller like this;

[Authorize]
public async Task<IActionResult> PayMoney()
{
    var authenticationProperties = (await HttpContext.AuthenticateAsync()).Properties.Items;
    string accessToken = authenticationProperties.FirstOrDefault(x => x.Key == ".Token.access_token").Value;

    HttpClient httpClient = new HttpClient();
    httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
    HttpResponseMessage responseMessage = await httpClient.GetAsync("https://localhost:2000/api/.....");
    string total = await responseMessage.Content.ReadAsStringAsync();
    return View();
}

at this point, I run the apps all together. After that I call PayMoney(above) and then project redirects me to IdentityServer Login Page (Account/Login) with ReturnUrl because I am not authenticated and authorized.

But I want to use the login page of MVC App instead of IdentityServer project's Quickstart.UI Login Page

Is it possible? And when I researched people say I should use 'Resource Owner Password' but it is not secure for my project...

Does anyone have any idea about this ??

CodePudding user response:

In OpenID Connect you are not supposed to let the client application see/touch the users username/password. Instead it is by design that the user should be redirected to the identity provider for authentication.

As a client, I would not trust to give my credentials to individual clients, instead you only want to do that to someone you as a user trusts.

Page link:https//www.codepudding.com/Mobile/483831.html

Prev:ASP.NET Core with React.js fails to run in Azure
Next:Why doesn't .NET Core CORS Policy return Access-Control-Allow-Origin response header?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding