Accepting Local Credentials

The steps for implementing a local login page are:

  • Validate the user’s credentials
  • Issue the authentication cookie
  • Redirect the user to the return URL

The code below shows a sample Razor Page that could act as a login page. This sample hard codes the logic for the credentials. In production code, use your custom user database or identity management library here.

If you are using ASP.NET Identity for user management, our Identity Server ASP.NET Identity (isaspid) template includes a login page that shows how you might use the abstractions of that library on your login page. Notably, it uses the SignInManager to start the session, rather than HttpContext.SignInAsync.

This is the cshtml for the login Razor Page:

@model Sample.Pages.Account.LoginModel
@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers

<div asp-validation-summary="All"></div>

<form method="post">
    <input type="hidden" asp-for="ReturnUrl" />

        <label asp-for="Username">Username</label>
        <input asp-for="Username" autofocus>
        <label asp-for="Password">Password</label>
        <input type="password" asp-for="Password" autocomplete="off">

    <button type="submit">Login</button>

And this is the code behind for the login Razor Page:

namespace Sample.Pages.Account
    public class LoginModel : PageModel
        [BindProperty(SupportsGet = true)]
        public string ReturnUrl { get; set; }
        public string Username { get; set; }
        public string Password { get; set; }
        public async Task<IActionResult> OnPost()
            if (Username == "alice" && Password == "password")
                var claims = new Claim[] {
                    new Claim("sub", "unique_id_for_alice")
                var identity = new ClaimsIdentity(claims, "pwd");
                var user = new ClaimsPrincipal(identity);
                await HttpContext.SignInAsync(user);

                if (Url.IsLocalUrl(ReturnUrl))
                    return Redirect(ReturnUrl);

            ModelState.AddModelError("", "Invalid username or password");

            return Page();

When IdentityServer redirects to the LoginUrl, the user should arrive at this page. If you’re using the default urls, then this page should be created at the path: ~/Pages/Account/Login.cshtml, which allows it to be loaded from the browser at the “/Account/Login” path.

While you can use any custom user database or identity management library for your users, we provide first class integration support for ASP.NET Identity.