I've got a SPA written with with Angular, and it communicates with a few APIs (also owned by me) to do all of its work. To secure the application, I am using Identity Server 4 with AAD as the single external provider.
I'm using a route guard in Angular that initiates the oidc implicit flow if the user is not yet authenticated before navigating to a route. This is all working great -- the user is forced to login with AAD before any of the "secure" routes can be accessed.
A new requirement for the application is that only a subset of the users in our AAD tenant are allowed to use the application. Within AccountController.ExternalLoginCallback (from quickstart UI), I am able to make this determination using claims that are being returned from AAD. Once I've determined whether or not it's a valid user, I can't figure out what to do from there to fail the authentication and return a response to my SPA that will allow me to show an "unauthorized" view.
Is this possible? Does my workflow need to change to meet this new requirement, or is there a way to inject this custom logic into Identity Server somewhere?
