IdentityServer4
1.0.0

Introduction

  • The Big Picture
  • Terminology
  • Supported Specifications
  • Packaging and Builds
  • Support and Consulting Options
  • Demo Server
  • Contributing

Quickstarts

  • Overview
  • Protecting an API using Client Credentials
  • Interactive Applications with ASP.NET Core
  • ASP.NET Core and API access
  • Adding a JavaScript client
  • Using EntityFramework Core for configuration and operational data
  • Using ASP.NET Core Identity

Topics

  • Startup
  • Defining Resources
  • Defining Clients
  • Sign-in
  • Sign-in with External Identity Providers
  • Windows Authentication
  • Sign-out
  • Sign-out of External Identity Providers
  • Federated Sign-out
  • Federation Gateway
  • Consent
    • Consent Page
    • Authorization Context
    • Informing IdentityServer of the consent result
    • Returning the user to the authorization endpoint
  • Protecting APIs
  • Deployment
  • Logging
  • Events
  • Cryptography, Keys and HTTPS
  • Grant Types
  • Client Authentication
  • Extension Grants
  • Resource Owner Password Validation
  • Refresh Tokens
  • Reference Tokens
  • Persisted Grants
  • Proof-of-Possession Access Tokens
  • Mutual TLS
  • Authorize Request Objects
  • Custom Token Request Validation and Issuance
  • CORS
  • Discovery
  • Adding more API Endpoints
  • Adding new Protocols
  • Tools

Endpoints

  • Discovery Endpoint
  • Authorize Endpoint
  • Token Endpoint
  • UserInfo Endpoint
  • Device Authorization Endpoint
  • Introspection Endpoint
  • Revocation Endpoint
  • End Session Endpoint

Reference

  • IdentityServer Options
  • Identity Resource
  • API Scope
  • API Resource
  • Client
  • GrantValidationResult
  • Profile Service
  • IdentityServer Interaction Service
  • Device Flow Interaction Service
  • Entity Framework Support
  • ASP.NET Identity Support

Misc

  • Training
  • Blog posts
  • Videos
IdentityServer4
  • Consent
  • View page source

Consent¶

During an authorization request, if IdentityServer requires user consent the browser will be redirected to the consent page.

Consent is used to allow an end user to grant a client access to resources (identity or API). This is typically only necessary for third-party clients, and can be enabled/disabled per-client on the client settings.

Consent Page¶

In order for the user to grant consent, a consent page must be provided by the hosting application. The quickstart UI has a basic implementation of a consent page.

A consent page normally renders the display name of the current user, the display name of the client requesting access, the logo of the client, a link for more information about the client, and the list of resources the client is requesting access to. It’s also common to allow the user to indicate that their consent should be “remembered” so they are not prompted again in the future for the same client.

Once the user has provided consent, the consent page must inform IdentityServer of the consent, and then the browser must be redirected back to the authorization endpoint.

Authorization Context¶

IdentityServer will pass a returnUrl parameter (configurable on the user interaction options) to the consent page which contains the parameters of the authorization request. These parameters provide the context for the consent page, and can be read with help from the interaction service. The GetAuthorizationContextAsync API will return an instance of AuthorizationRequest.

Additional details about the client or resources can be obtained using the IClientStore and IResourceStore interfaces.

Informing IdentityServer of the consent result¶

The GrantConsentAsync API on the interaction service allows the consent page to inform IdentityServer of the outcome of consent (which might also be to deny the client access).

IdentityServer will temporarily persist the outcome of the consent. This persistence uses a cookie by default, as it only needs to last long enough to convey the outcome back to the authorization endpoint. This temporary persistence is different than the persistence used for the “remember my consent” feature (and it is the authorization endpoint which persists the “remember my consent” for the user). If you wish to use some other persistence between the consent page and the authorization redirect, then you can implement IMessageStore<ConsentResponse> and register the implementation in DI.

Returning the user to the authorization endpoint¶

Once the consent page has informed IdentityServer of the outcome, the user can be redirected back to the returnUrl. Your consent page should protect against open redirects by verifying that the returnUrl is valid. This can be done by calling IsValidReturnUrl on the interaction service. Also, if GetAuthorizationContextAsync returns a non-null result, then you can also trust that the returnUrl is valid.

Previous Next

© Copyright 2020, Brock Allen & Dominick Baier.

Built with Sphinx using a theme provided by Read the Docs.