2

Using an ASP.NET Core 2 application with IdentityServer 4 as an identity provider. Using two ASP.NET MVC 5 applications which use the the above mentioned application as the authority for authentication. Using the implicit flow for authentication.

The first application doesn't have any page available to anonymous users, so when unauthenticated users navigate to it, they are redirected to the IdSrv app to log in. Let's call it "Admin portal"

The second application's welcome page is available for anonymous users and unauthenticated users are not automatically redirected to the IdSrv app when visiting it. If they try to visit some page which is not available to anonymous users however, the authentication component does its work and redirects users to IdSrv to authenticate first.
If authenticated users navigate to this welcome page, the application redirects them to some other page automatically (i.e. a dashboard page) which is not available to anonymous users. Let's call this second application "User portal".

Now to the problem.
Consider the scenario where a user logs in to the Admin portal and later goes to the User portal. Even though users had been logged in to the system by using the Admin portal, when they navigate to User portal they might do so via the welcome page which does not detect if users are logged in or not, since the welcome page allows anonymous access.

The desirable behavior would be, for an user which was already authenticated, to automatically be redirected from the welcome page to some dashboard page.

Is it possible for a page which allows anonymous access to somehow ask the IdentityServer whether the current user has been authenticated already? If not authenticated, it would just show the content, and if already authenticated, it would perform a redirect to some other page suitable for the authenticated user.

I had solved this previously (I haven't been using IdentityServer back then) by having the authentication service know which pages were allowed for anonymous users, and redirecting all unauthenticated users to the login page on each request. Then the authentication service would read the returnUrl value and if it matched one of the allowed pages, users would just be redirected back to the anonymous page, with added "anonymous=1" query parameter to prevent an infinite loop. Having "anonymous=1" query parameter would instruct the application to not redirect the unauthenticated users to the authentication service. But this seemed hacky.

Any thoughts?

Dejan Janjušević
  • 3,181
  • 4
  • 41
  • 67
  • 2
    You may be able to use the same approach I used to accomplish persistent login. I answered my own question [here](https://stackoverflow.com/a/48229569/152997). – McGuireV10 Apr 04 '18 at 20:18

1 Answers1

2

As McGuireV10 mentions, you may be able to use the prompt=none approach from the client side here. You issue your authorize endpoint request in a hidden iframe and if the response comes back OK (i.e. not login_required) then you know the user is already authenticated on the IDP. It's a little fiddly to implement but it is an "official" approach and forms part of the session monitoring spec.

mackie
  • 4,996
  • 1
  • 17
  • 17
  • Thank you for your answer. The hidden iframe solution wasn't good enough for me, as I wanted to pick up this information before the page is rendered. I used a solution similar to what @McGuireV10 proposed. – Dejan Janjušević Apr 13 '18 at 09:30