Basic sign-in flow with the password factor

Identity Engine

Enable a password-only sign-in flow in your web app using the embedded SDK.

Note: Passwords are a security vulnerability because they can be easily stolen and are prone to phishing attacks. Give your users the ability to use other authenticators by replacing password-only sign-in experiences with either a password-optional or a multifactor experience.

To learn about a sign-in use case where the password is optional, see Sign in with email only.

---

Learning outcomes

Add a password-only sign-in flow to a server-side web app.

What you need

• An app that uses the embedded Okta .NET Identity Engine SDK (opens new window)
• Identity Engine SDK set up for your own app

Sample code

ASP.NET MVC 4.x Sample Applications for Okta (opens new window)

---

Configuration updates

To configure your app so that it requires only a password, see

Set up your Okta org for a password factor-only use case

.

Summary of steps

The following diagram summarizes the steps involved in a sign-in flow using only a password:

Integration steps

Your app displays the sign-in page

Build a sign-in page that captures both the user's name and their password.

The user submits their username and password

When the user submits their username and password, create an AuthenticationOptions object and assign its Username and Password properties to the values entered by the user. Pass this object as a parameter to IdxClient.AuthenticateAsync().

var idxAuthClient = new IdxClient();
var authnOptions = new AuthenticationOptions()
   {
      Username = model.UserName,
      Password = model.Password,
   };

var authnResponse = await idxAuthClient
   .AuthenticateAsync(authnOptions).ConfigureAwait(false);

Your app handles an authentication success response

When the user correctly supplies their password, AuthenticateAsync() returns an AuthenticationResponse with an AuthenticationStatus of Success. Call AuthenticationHelper.GetIdentityFromTokenResponseAsync() to retrieve the user's OIDC claims information as ID tokens and pass it into your app. The user has now signed in.

switch (authnResponse.AuthenticationStatus)
{
   case AuthenticationStatus.Success:
      ClaimsIdentity identity = await AuthenticationHelper
         .GetIdentityFromTokenResponseAsync(
            _idxClient.Configuration, authnResponse.TokenInfo);
      _authenticationManager.SignIn(
         new AuthenticationProperties { IsPersistent = model.RememberMe },
         identity);
      return RedirectToAction("Index", "Home");

   case AuthenticationStatus.PasswordExpired:
      // User has to change their password

   case AuthenticationStatus.AwaitingChallengeAuthenticatorSelection:
      // User has to verify their identity with another authentication factor

   default:
      return View("Login", model);
}

return View(view, model);

Store these tokens for future requests and redirect the user to the default page after a successful sign-in attempt.

Get the user profile information

After the user signs in successfully, request basic user information from the authorization server using the tokens that were returned in the previous step.

public static async Task<IEnumerable<Claim>> GetClaimsFromUserInfoAsync(
   IdxConfiguration configuration, string accessToken)
{
   Uri userInfoUri = new Uri(
      IdxUrlHelper.GetNormalizedUriString(configuration.Issuer, "v1/userinfo")
   );
   HttpClient httpClient = new HttpClient();

   var userInfoResponse = await httpClient.GetUserInfoAsync(
      new UserInfoRequest { 
         Address = userInfoUri.ToString(), Token = accessToken,
      }
   ).ConfigureAwait(false);

   var nameClaim = new Claim(
      ClaimTypes.Name,
      userInfoResponse.Claims.FirstOrDefault(x => x.Type == "name")?.Value
   );
   return userInfoResponse.Claims.Append(nameClaim);
}