Sign-in

In order for IdentityServer to issue tokens on behalf of a user, that user must sign-in to IdentityServer.

Login User Interface and Identity Management System

IdentityServer does not provide any user-interface or user database for user authentication. These are things you are expected to provide or develop yourself.

If you need a starting point for a basic UI (login, logout, consent and manage grants), you can use our quickstart UI.

The quickstart UI authenticates users against an in-memory database. You would replace those bits with access to your real user store. We have samples that use ASP.NET Identity.

Login Workflow

When IdentityServer receives a request at the authorization endpoint and the user is not authenticated, the user will be redirected to the configured login page. You must inform IdentityServer of the path to your login page via the UserInteraction settings on the options (the default is /account/login). A returnUrl parameter will be passed informing your login page where the user should be redirected once login is complete.

../_images/signin_flow.png

Note

Beware open-redirect attacks via the returnUrl parameter. You should validate that the returnUrl refers to well-known location. See the interaction service for APIs to validate the returnUrl parameter.

Login Context

On your login page you might require information about the context of the request in order to customize the login experience (such as client, prompt parameter, IdP hint, or something else). This is made available via the GetAuthorizationContextAsync API on the interaction service.