Early Preview
This is currently very much a preview. Please feel free to try things out,
but don't be upset if anything is not yet working. Feedback is welcome over on our
GitHub Dicussions page.
interface Duende.IdentityServer.Services.IIdentityServerInteractionService
Assembly: Duende.IdentityServer
Provides services used by the user interface to communicate with IdentityServer, mainly pertaining to user interaction such as login, consent, logout, and error handling. This service is available from the dependency injection system and is typically injected as a constructor parameter into MVC controllers that implement the IdentityServer UI.
Methods
GetAuthenticationContextAsync(string returnUrl,
System.Threading.CancellationToken ct)
Gets the protocol-agnostic authentication context for the current request.
Returns an <see cref="T:Duende.IdentityServer.Models.AuthorizationRequest" /> for OIDC flows or a
SAML authentication request for SAML flows,
both behind the common <see cref="T:Duende.IdentityServer.Models.IAuthenticationContext" /> interface.
Use pattern matching to access protocol-specific details.
Returns The protocol-agnostic authentication context for the request identified by <paramref name="returnUrl" /> ,
or <c>null</c> if the URL does not correspond to a valid pending authorization request.
returnUrl
The return URL passed to the login or consent page.
ct
The cancellation token.
GetAuthorizationContextAsync(string returnUrl,
System.Threading.CancellationToken ct)
Returns the <see cref="T:Duende.IdentityServer.Models.AuthorizationRequest" /> based on the <paramref name="returnUrl" /> passed to the login or consent pages.
Use this to obtain details about the client, requested scopes, and other OIDC parameters
so the UI can tailor the login or consent experience.
Returns The <see cref="T:Duende.IdentityServer.Models.AuthorizationRequest" /> describing the pending OIDC authorization request,
or <c>null</c> if the URL does not correspond to a valid pending request.
returnUrl
The return URL passed to the login or consent page.
ct
The cancellation token.
bool
IsValidReturnUrl(string returnUrl)
Indicates whether the <paramref name="returnUrl" /> is a valid URL for redirect after login or consent.
Use this to guard against open-redirect attacks before trusting a return URL.
Returns <c>true</c> if the URL is a recognized and safe IdentityServer return URL; otherwise <c>false</c> .
returnUrl
The return URL to validate.
GetErrorContextAsync(string errorId,
System.Threading.CancellationToken ct)
Returns the <see cref="T:Duende.IdentityServer.Models.ErrorMessage" /> based on the <paramref name="errorId" /> passed to the error page.
Use this to retrieve the error details so the UI can display a meaningful error to the user.
Returns The <see cref="T:Duende.IdentityServer.Models.ErrorMessage" /> containing the error code, description, and request context,
or <c>null</c> if no error matching <paramref name="errorId" /> is found.
errorId
The error identifier passed as a query parameter to the error page.
ct
The cancellation token.
GetLogoutContextAsync(string logoutId,
System.Threading.CancellationToken ct)
Returns the <see cref="T:Duende.IdentityServer.Models.LogoutRequest" /> based on the <paramref name="logoutId" /> passed to the logout page.
Use this to retrieve the logout context so the UI can render the sign-out prompt and
the post-logout redirect URI.
Returns The <see cref="T:Duende.IdentityServer.Models.LogoutRequest" /> describing the pending logout, including the initiating client,
post-logout redirect URI, session ID, and sign-out iframe URL.
logoutId
The logout identifier passed as a query parameter to the logout page.
ct
The cancellation token.
System.Threading.Tasks.Task<string>
CreateLogoutContextAsync(System.Threading.CancellationToken ct)
Creates a <c>logoutId</c> if there is not one presently.
This creates a cookie capturing all the current state needed for sign-out, and the returned
<c>logoutId</c> identifies that cookie. This is typically used when there is no current
<c>logoutId</c> and the logout page must capture the current user's state prior to redirecting
to an external identity provider for sign-out. The newly created <c>logoutId</c> should be
round-tripped to the external provider and then used on the sign-out callback page.
Returns A <c>logoutId</c> string that can be passed to <see cref="M:Duende.IdentityServer.Services.IIdentityServerInteractionService.GetLogoutContextAsync(System.String,System.Threading.CancellationToken)" /> to retrieve
the captured sign-out state, or <c>null</c> if there is no authenticated user session to capture.
ct
The cancellation token.
GrantConsentAsync(Models.AuthorizationRequest request,
Models.ConsentResponse consent,
System.Threading.CancellationToken ct,
string subject = null)
Informs IdentityServer of the user's consent decision for a particular authorization request.
Call this after the user has reviewed and accepted (or partially accepted) the requested scopes
on the consent page.
request
The authorization request for which consent is being granted.
consent
The consent response containing the scopes the user agreed to and whether to remember the decision.
ct
The cancellation token.
subject
The subject identifier of the user granting consent. When <c>null</c> , the currently authenticated
user's subject is used.
DenyAuthorizationAsync(Models.AuthorizationRequest request,
Models.InteractionError error,
System.Threading.CancellationToken ct,
string errorDescription = null)
Sends an error back to the client for the given authorization request.
This is a simpler helper on top of <see cref="M:Duende.IdentityServer.Services.IIdentityServerInteractionService.GrantConsentAsync(Duende.IdentityServer.Models.AuthorizationRequest,Duende.IdentityServer.Models.ConsentResponse,System.Threading.CancellationToken,System.String)" /> for the case where
the UI needs to return an OAuth/OIDC error (e.g. <c>access_denied</c> ) to the client
without going through the full consent flow.
request
The authorization request that is being denied.
error
The OAuth/OIDC error code to return to the client.
ct
The cancellation token.
errorDescription
An optional human-readable description of the error to include in the response.
DenyAuthenticationAsync(Models.IAuthenticationContext context,
Models.InteractionError error,
System.Threading.CancellationToken ct,
string errorDescription = null)
Signals that the user has denied or cancelled the authentication request.
This is protocol-agnostic — it works for both OIDC and SAML flows.
For OIDC, it writes a denial to the consent store (equivalent to <see cref="M:Duende.IdentityServer.Services.IIdentityServerInteractionService.DenyAuthorizationAsync(Duende.IdentityServer.Models.AuthorizationRequest,Duende.IdentityServer.Models.InteractionError,System.Threading.CancellationToken,System.String)" /> ).
For SAML, it writes a denial to the SAML signin state store, causing the callback endpoint
to generate an error response back to the service provider.
context
The authentication context obtained from <see cref="M:Duende.IdentityServer.Services.IIdentityServerInteractionService.GetAuthenticationContextAsync(System.String,System.Threading.CancellationToken)" /> .
error
The interaction error to signal.
ct
The cancellation token.
errorDescription
An optional human-readable description of the error.
GetAllUserGrantsAsync(System.Threading.CancellationToken ct)
Returns a collection representing all of the current user's consents and grants.
Each <see cref="T:Duende.IdentityServer.Models.Grant" /> represents either a user's consent or a client's access to a user's resource.
Use this to build a grants management page where users can review their authorized applications.
Returns A read-only collection of <see cref="T:Duende.IdentityServer.Models.Grant" /> objects for the current user,
including the client, scopes, creation time, and expiration for each grant.
ct
The cancellation token.
RevokeUserConsentAsync(string clientId,
System.Threading.CancellationToken ct)
Revokes all of the current user's consents and grants for the specified client,
or for all clients if <paramref name="clientId" /> is <c>null</c> .
clientId
The identifier of the client whose grants should be revoked,
or <c>null</c> to revoke grants for all clients.
ct
The cancellation token.
RevokeTokensForCurrentSessionAsync(System.Threading.CancellationToken ct)
Revokes all of the current user's consents and grants for every client
the user has signed into during their current session.
ct
The cancellation token.