These samples illustrate customization of the interactive pages used in your IdentityServer.
This sample shows how to create a custom profile service to control what claims are issued from your IdentityServer. The majority of the sample is captured in CustomProfileService.cs in the IdentityServer project.
Also, another part of the sample shows how to collect a custom claim during the login workflow when using an external login provider (this is done in the ExternalLogin/Callback.cshtml.cs processing logic). This claim value then is stored the user’s session, and then ultimately is copied into the created tokens via the custom profile service logic.
This sample shows how to implement step up. The Demo consists of 3 projects:
To run the demo, start all three projects and navigate to the Client application at https://localhost:6001. From there, you can click on links to pages that will trigger step up in various ways. For example, you could
From there, you can experiment with other interactions. You can go to the Recent Auth with MFA page that has both authentication requirements, or try the user bob, who always requires MFA.
This sample shows an example of building the interactive pages (login, consent, logout, and error) as client-rendered (typical of SPAs), rather than server-rendered. Since there are many different SPA frameworks, the actual pages are coded using vanilla JavaScript.
Key takeaways:
The dynamic providers feature allows for loading OpenID Connect identity provider configuration dynamically from a store. This sample sets up a simple database with one dynamic OIDC provider.
Some key points about the IdentityServer project in the sample:
The dynamic providers feature allows for loading OpenID Connect identity provider configuration dynamically from a store. This sample shows how to extend the dynamic providers feature to support additional protocol types, and specifically WS-Federation.
Key takeaways:
The Sustainsys.Saml2 open source library adds Saml2 protocol support to Asp.Net Core. It can be used together with the Duende dynamic identity providers feature. The sample is minimalistic to show a simple Saml2 config and does not handle the complete set of Saml2 config options.
This sample shows how a client can make CIBA login requests using Duende IdentityServer. To run the sample, the IdentityServer and API hosts should be started first. Next run the ConsoleCibaClient which will initiate the backchannel login request. The URL the user would receive to login and approve the request is being written out to the IdentityServer log (visible in the console window). Follow that URL, login as “alice”, and then approve the login request to allow the client to receive the results.
This sample shows how to use Windows Authentication when hosting your IdentityServer behind IIS (or IIS Express). The salient piece to understand is a new LoginWithWindows action method in the AccountController from the quickstarts. Windows authentication is triggered, and once the result is determined the main authentication session cookie is created based on the WindowsIdentity results. Also, note there is some configuration in Startup with a call to Configure<IISOptions> (mainly to set AutomaticAuthentication to false).