In order for IdentityServer to issue tokens on behalf of a user, that user must sign-in to IdentityServer.
Login User Interface and Identity Management System¶
IdentityServer does not provide any user-interface or user database for authentication. These are things you are expected to provide or develop yourself. We have samples that use ASP.NET Identity.
We also have a quickstart UI that has basic implementations of all the moving parts like login, consent and logout as a starting point.
When IdentityServer recieves a request at the authorization endpoint and the user is not authenticated, the user will be redirected to the configured login page.
You must inform IdentityServer of the path to your login page via the
UserInteraction settings on the options.
returnUrl parameter will be passed informing your login page where the user should be redirected once login is complete.
On your login page you might require information about the context of the request in order to customize the login experience
(such as client, prompt parameter, IdP hint, or something else).
This is made available via the
GetAuthorizationContextAsync API on the the interaction service.
AuthenticationManager and Claims¶
AuthenticationManager from ASP.NET Core is used to issue the authentication cookie and sign a user in.
The authentication scheme used must match the cookie middleware you are using (see above).
When you sign the user in you must issue at least a
sub claim and a
IdentityServer provides a few
SignInAsync extension methods on the
AuthenticationManager to make this more convenient.
You can also optionally issue an
idp claim (for the identity provider name), an
amr claim (for the authentication method used), and/or an
auth_time claim (for the epoch time a user authenticated).
If you do not provide these, then IdentityServer will provide default values.