I believe that if I can either redirect to a different action or pass additional parameters to the Account Controller's Login Action then I can build out the remainder of what is needed to implement a reset password / confirm registration feature based on an emailed link with a unique token.
The difficulty is I do not know how to cut into the authorization workflow to do this.
What I have tried:
I have also posted the question on IdentityServer's question board, but so far no inputs from them.
My google based research suggests that this is not easily achievable with IdentityServer, but I believe if I can break into the workflow as described above, then it should be possible.
This
article is promising. Namely if I verify the token on the set password then use machine-to-machine communication with a shared secret to authorize the session.
Here is some code listed from the "Client" project in the published "Combined" example - a simple console app that is authorized via a shared secret that I am going to try after I validate the link:
var client = new HttpClient();
var disco = await client.GetDiscoveryDocumentAsync("http://localhost:5500");
if (disco.IsError)
{
Console.WriteLine(disco.Error);
return;
}
var tokenResponse = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
{
Address = disco.TokenEndpoint,
ClientId = "MVCClient",
ClientSecret = "secret",
Scope = "api1"
});
if (tokenResponse.IsError)
{
Log(tokenResponse.Error);
return;
}
If I can succeed with this then I am done. Good idea or off in the wrong direction?