I have an duende identityserver that has multiple BFFs as a client. One of these BFFs is for my admins.

My identityserver has multiple sign in schemes (Think facebook, google etc) however i want to force my Administrator bff to use the (Azure AD (for my organization only) login.

I was thinking maybe setting clientproperties in the database and having the identityserver respond to that. But i was wondering if there is a more standard way of doing it that I haven't thought about.

CodePudding user response：

Some authorization servers have allowed authenticator settings, though others do not. I could not see a built in option in the client model.

Another option is for the client application (your BFF) to send the acr_values OpenID Connect request parameter to force that app to bypass authentication selection screens.

This feels like the preferred option in your case. After login your BFF could even validate the acr claim to check that the expected authentication method(s) was used.

CodePudding user response：

Fun fact:

Duende identityserver has Client.IdentityProviderRestrictions

this is excactly what i needed for my goal