0

I am trying to understand this condition in IdentityServer4 quickstart:

    [HttpPost]
    [ValidateAntiForgeryToken]
    public async Task<IActionResult> Login(LoginInputModel model, string button)
    {
        if (button != "login")
        {
            var context = await _interaction.GetAuthorizationContextAsync(model.ReturnUrl);
            if (context != null)
            {
                await _interaction.GrantConsentAsync(context, ConsentResponse.Denied);
                return Redirect(model.ReturnUrl);
            }
            else
            {
                return Redirect("~/");
            }
        }

As far as I understand, if login form is not submitted by pressing login button (<button type=submit value=login>) but by another post request (?) what exactly is going to happen?

What is GetAuthorizationContextAsync doing? I think it may extract some Authorization code from Query string and Authorize. Correct?

Thanks!

Luke1988
  • 1,850
  • 2
  • 24
  • 42

2 Answers2

2

The QuickStart example contains also comments in the code that explain what the method is doing:

if (button != "login")
{
    // the user clicked the "cancel" button
    var context = await _interaction.GetAuthorizationContextAsync(model.ReturnUrl);
    if (context != null)
    {
        // if the user cancels, send a result back into IdentityServer as if they 
        // denied the consent (even if this client does not require consent).
        // this will send back an access denied OIDC error response to the client.
        await _interaction.GrantConsentAsync(context, ConsentResponse.Denied);

        // we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
        return Redirect(model.ReturnUrl);
    }
    else
    {
        // since we don't have a valid context, then we just go back to the home page
        return Redirect("~/");
    }
}

Authorization context is described in documentation:

IdentityServer will pass a returnUrl parameter (configurable on the user interaction options) to the consent page which contains the parameters of the authorization request. These parameters provide the context for the consent page, and can be read with help from the interaction service. The GetAuthorizationContextAsync API will return an instance of AuthorizationRequest.

Martin Staufcik
  • 8,295
  • 4
  • 44
  • 63
0

This trick with the named button value is a commonly used trick to have multiple buttons to submit the same form. Either clicking cancel or login button will trigger submission of the login form, but the handling of the submission will be handled differently.

For your second question: this related to the configured clients within the IdentityServer configuration. Based on the return URL, the correct client is retrieved from the IdentityServer configuration. While getting this context, there is also validation triggered to see if the return URL is a known configured return URL.

This is later used to determine the correct ClientId, and wether PKCE validation is required or not for the configured client, to properly handle the login request (either cancelled, or not).

Thomas Luijken
  • 657
  • 5
  • 13