Instructions for

Basic sign in with the password factor

Enable a password-only authentication flow in your web app using the embedded SDK.

Note: Passwords are vulnerable to theft and phishing. Allow users to choose other authenticators by replacing password-only experiences with either a password-optional or a multifactor experience.

To learn about a sign-in use case where the password is optional, see Sign in with email only.

Learning outcomes

Add a password-only authentication flow to a server-side web app.

What you need

Sample code

Configuration updates

To configure your app so that it requires only a password, see

Summary of steps

Integration steps

Build a sign-in page that captures both the user's name and their password.

A sign-in form with fields for username and password and a next button

The user submits their username and password

When the user submits their username and password, create an AuthenticationOptions object and assign its Username and Password properties to the values entered by the user. Pass this object as a parameter to IdxClient.AuthenticateAsync().

var idxAuthClient = new IdxClient();
var authnOptions = new AuthenticationOptions()
   {
      Username = model.UserName,
      Password = model.Password,
   };

var authnResponse = await idxAuthClient
   .AuthenticateAsync(authnOptions).ConfigureAwait(false);

Your app handles an authentication success response

When the user correctly supplies their password, AuthenticateAsync() returns an AuthenticationResponse with an AuthenticationStatus of Success. Call AuthenticationHelper.GetIdentityFromTokenResponseAsync() to retrieve the user's OIDC claims information as ID tokens and pass it into your app. The user has now signed in.

switch (authnResponse.AuthenticationStatus)
{
   case AuthenticationStatus.Success:
      ClaimsIdentity identity = await AuthenticationHelper
         .GetIdentityFromTokenResponseAsync(
            _idxClient.Configuration, authnResponse.TokenInfo);
      _authenticationManager.SignIn(
         new AuthenticationProperties { IsPersistent = model.RememberMe },
         identity);
      return RedirectToAction("Index", "Home");

   case AuthenticationStatus.PasswordExpired:
      // User has to change their password

   case AuthenticationStatus.AwaitingChallengeAuthenticatorSelection:
      // User has to verify their identity with another authentication factor

   default:
      return View("Login", model);
}

return View(view, model);

Store these tokens for future requests and redirect the user to the default page after a successful sign-in attempt.

Get the user profile information

After the user signs in successfully, request basic user information from the authorization server using the tokens that were returned in the previous step.

public static async Task<IEnumerable<Claim>> GetClaimsFromUserInfoAsync(
   IdxConfiguration configuration, string accessToken)
{
   Uri userInfoUri = new Uri(
      IdxUrlHelper.GetNormalizedUriString(configuration.Issuer, "v1/userinfo")
   );
   HttpClient httpClient = new HttpClient();

   var userInfoResponse = await httpClient.GetUserInfoAsync(
      new UserInfoRequest { 
         Address = userInfoUri.ToString(), Token = accessToken,
      }
   ).ConfigureAwait(false);

   var nameClaim = new Claim(
      ClaimTypes.Name,
      userInfoResponse.Claims.FirstOrDefault(x => x.Type == "name")?.Value
   );
   return userInfoResponse.Claims.Append(nameClaim);
}

Edit This Page On GitHub