The BFF login endpoint has extensibility points in two interfaces. The ILoginService is the top level abstraction that processes requests to the endpoint. This service can be used to add custom request processing logic. The IReturnUrlValidator ensures that the returnUrl parameter passed to the login endpoint is safe to use.
ProcessRequestAsync is the top level function called in the endpoint service and can be used to add arbitrary logic to the endpoint.
For example, you could take whatever actions you need before normal processing of the request like this:
public override Task ProcessRequestAsync(HttpContext context)
// Custom logic here
To prevent open redirector attacks, the returnUrl parameter to the login endpoint must be validated. You can customize this validation by implementing the IReturnUrlValidator interface. The default implementation enforces that return urls are local.