- Use IdSrv3 as an OAuth 2.0 Authorization Server only.
- Use legacy authentication pages and session management mechanism.
- No Federation Gateway functionality is required.
- The IdSrv3 built in page should never be rendered to the user.
- Create a
IUserServiceimplementation with the following behavior on thePreAuthenticateAsyncmethod.- If the user is already authenticated using the legacy mechanism, assign the
PreAuthenticationContextwith anAuthenticationResultcontaining aClaimsPrincipalbuilt from that legacy authentication (non partial sign-in). As a consequence, IdSrv3 will establish its own session and redirect back to the Authorization Endpoint to complete the authorization request. - If there isn't any authenticated user, assign the
PreAuthenticationContextwith a partial login pointing to a new page that will act as a bridge between IdSrv3 and the system's legacy login page. As a consequence, IdSrv3 will redirect to this bridge page.- The bridge page should redirect to the legacy login page (the return URL will be the bridge page).
- On return (after the user is authenticated on the existent page), the bridge page should use IdSrv3 extensions methods to resume the authorization request flow.
- If the user is already authenticated using the legacy mechanism, assign the
- Make sure that any changes to the legacy session (e.g. legacy logout) invalidate the IdSrv3 session. This may require changes to the legacy logout page.
- Is any better way to do this, perhaps with some PostXxxx hook?
Why not include the legacy page into the same pipeline as IdSvr? That way you don't need to then redirect again to the external legacy login page and then have that communicate back to IdSvr somehow.