Authentication Type Change

[Alik2015]

What is the suggest way (maybe changing template?) to change the default auth type so that I can have Email/Password and then ask the 2FA if enabled like verification code and also have a Forgot Password link?

I am guessing miight be a custom implementation of the template but was wondering if it is configurable from the UI.

Also is Forgot Password implemented as a method so that I can use it on the login page?

[simpleidserver]

The default authentication method is defined by the DefaultAcrValue property of the IdServerHostOptions.
Open the Program.cs file and edit the file as follows:

services.AddSIDIdentityServer(callback: cb =>
{
    cb.DefaultAcrValue = "pwd-email";
    if (!string.IsNullOrWhiteSpace(identityServerConfiguration.SessionCookieNamePrefix)) 
        cb.SessionCookieName = identityServerConfiguration.SessionCookieNamePrefix;
    cb.Authority = identityServerConfiguration.Authority;
}, cookie: c =>
{
    if(!string.IsNullOrWhiteSpace(identityServerConfiguration.AuthCookieNamePrefix)) 
        c.Cookie.Name = identityServerConfiguration.AuthCookieNamePrefix;
}, dataProtectionBuilderCallback: ConfigureDataProtection)

Currently, it is not possible to add a "retrieve password" link to the UI.
I have created a ticket #645 to support this functionality.

In the meantime, you can update the UI and add the link into the view Areas\email\Views\Authenticate.cshtml.

[Alik2015]

@simpleidserver Thanks for that. I was looking at the code in more detail and it does seem like I can have a custom flow. What I was trying to achieve is Email+Pwd+Code but it seems that this might need to be custom logic. Is there options that can be set to achieve this or is it a case of creating new Controllers/Views and a custom ACRS endpoint? You already have Email/Login+Password/Email+Code but nothing that combines all 3 Email+Pwd+Code.

[simpleidserver]

@Alik2015: Why do you need a new authentication method when you are already using the email or sms authentication method? A One-Time Password/Verification Code is sent via SMS or email.

Can you please provide more details about the authentication method you want to implement?

For each authentication method, there is a separate NuGet Package. If you want to implement a custom one, you can refer to their implementation. For example: https://github.com/simpleidserver/SimpleIdServer/tree/master/src/IdServer/SimpleIdServer.IdServer.Sms

[Alik2015]

@simpleidserver I might have not been clear. The point was that at present the login details are required are either login, or email and then you will receive auth code to authenticate. I was thinking more along the lines of other sites like Google,Microsoft etc where the layer requires all 3 parts. Example, Login+password and once these are confirmed ask for the auth code. My though is that this method might be a bit more secure because someone would need all 3. Would you not suggest this method of having all 3 details rather than 2?

[simpleidserver]

The workflow used by Google or Microsoft is similar to the authentication workflows pwd+email or pwd+sms.
Both workflows consist of the following steps:

1. On the first screen, the user must submit their credentials (login and password).
2. On the second screen, the user enters their mobile phone number or email and clicks on the Send confirmation code button.
3. A TOTP (Time-Based One-Time Password) code is sent to the phone or email.
4. The user enters this code to complete the authentication.

A TOTP code can also be generated by a mobile application, such as Microsoft Authenticator. When the user is authenticated to the IdServer, they can scan the QR Code.

Additionally, we can implement another authentication method, named code, where the user can enter the TOTP code generated by the mobile application.

[Alik2015]

For some reason in pwd email I don't see password only email and code fields. On 6 Dec 2023 15:01, SimpleIdServer ***@***.***> wrote: The workflow used by Google or Microsoft is similar to the authentication workflows pwd+email or pwd+sms. Both workflows consist of the following steps: On the first screen, the user must submit their credentials (login and password).On the second screen, the user enters their mobile phone number or email and clicks on the Send confirmation code button.A TOTP (Time-Based One-Time Password) code is sent to the phone or email.The user enters this code to complete the authentication. A TOTP code can also be generated by a mobile application, such as Microsoft Authenticator. When the user is authenticated to the IdServer, they can scan the QR Code. image.png (view on web) Additionally, we can implement another authentication method, named code, where the user can enter the TOTP code generated by the mobile application. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

[simpleidserver]

In the administration website, open the 'Authentication Context' window and check if the 'pwd-email' ACR is present.
You can click on the 'pwd-email' link to simulate the authentication flow.

1. The first window contains login and password authentication.

2. The second window contains email and verification code.

If you have a website and want to trigger the 'pwd-email' workflow, the 'acr_values' parameter passed in the OPENID authorization request (https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) must be equal to 'pwd-email'.

[Alik2015]

Yes pwd+email shows the screen asking the user for Login/pwd and next screen asking for code as you suggested. All I wish to do is change the code so that it uses Email instead of Username to login.

Current

Desired

[simpleidserver]

In the Program.cs file of the IdServer, set the property IsEmailUsedDuringAuthentication to true :)

    var idServerBuilder = services.AddSIDIdentityServer(callback: cb =>
        {
            if (!string.IsNullOrWhiteSpace(identityServerConfiguration.SessionCookieNamePrefix)) 
                cb.SessionCookieName = identityServerConfiguration.SessionCookieNamePrefix;
            cb.Authority = identityServerConfiguration.Authority;
            cb.IsEmailUsedDuringAuthentication = true;
        }, cookie: c =>
        {
            if(!string.IsNullOrWhiteSpace(identityServerConfiguration.AuthCookieNamePrefix)) 
                c.Cookie.Name = identityServerConfiguration.AuthCookieNamePrefix;
        }, dataProtectionBuilderCallback: ConfigureDataProtection)

[simpleidserver]

Hi @Alik2015, The development of the ticket #645 is complete. It is now possible to reset the user's password.

The workflow consists of the following steps, similar to workflows implemented by other Identity Providers.

1. In the password authentication window, users can reset their password by clicking on the Forget my password link.
2. The user must enter their login and email or phone number, and click on the Send button. A reset link with a verification code will be sent to the user.
3. WWhen the user clicks on the link, they will be redirected to a new UI where they can reset their password.

All the options of this module can be updated on the administration website. Navigate to the Authentications window and click on Password.

You can edit the following properties :

Property	Description
Notification mode	Select how to send the reset link
Title	Title of your message
Message	Content of the message
Expiration time	Expiration time of the reset link
Can reset the password	Display or hide the link in the authentication window