issue - How to avoid showing login page if already logged with asp net core Identityserver4?

Question

How to prevent an authenticated user from being not able to open the IndentitySever login page so that they do not re-enter their credentials since they are already logged in

I am using two separate applications Blazor Web Assembly hosted on Asp net and WebApi that uses Identity Server for Authentication.

The browser opens to the login page, I enter the credentials and the server application of identityServer completes the process successfully and redirects me to the home page, then I pressed the back button of the browser and the identityServer login page opens

I even tried to activate the remember me to make identity remember that the user logged in but I still get the same result the login page opens although user is authenticated

Code App with IdentityServer4 Startup.cs

services.AddIdentityServer()
            .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();
            //.AddSigningCredential(;
        services.AddAuthentication()
            .AddIdentityServerJwt();
        services.ConfigureApplicationCookie(options =>
        {
            options.Cookie.HttpOnly = true;
            options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
            /*ptions.SlidingExpiration = true;*/
        });

Code App with IdentityServer4 Login.cshtml

 public async Task<IActionResult> OnPostAsync(string returnUrl = null)
    {
        returnUrl = returnUrl ?? Url.Content("~/");

        if (ModelState.IsValid)
        {
            // This doesn't count login failures towards account lockout
            // To enable password failures to trigger account lockout, set lockoutOnFailure: true
            var result = await _signInManager.PasswordSignInAsync(Input.Email, Input.Password, Input.RememberMe, lockoutOnFailure: false);
            if (result.Succeeded)
            {
                _logger.LogInformation("User logged in.");
                return LocalRedirect(returnUrl);
            }
            if (result.RequiresTwoFactor)
            {
                return RedirectToPage("./LoginWith2fa", new { ReturnUrl = returnUrl, RememberMe = Input.RememberMe });
            }
            if (result.IsLockedOut)
            {
                _logger.LogWarning("User account locked out.");
                return RedirectToPage("./Lockout");
            }
            else
            {
                ModelState.AddModelError(string.Empty, "Invalid login attempt.");
                return Page();
            }
        }

        // If we got this far, something failed, redisplay form
        return Page();
    }

Any thoughts will be greatly appreciated. Best

Answer 1

To answer your question directly, you could check if a idsrv.session cookie is present

this.Request.Cookies["idsrv.session"]

As an alternative, you could let your user log in again if they want to. Let's take a look at the IdentityServer4 demo: https://demo.identityserver.io/Account/Login?ReturnUrl=%2Fdiagnostics

Log in using:

User: bob 
Password: bob

Now click back and take a look at the header, you can see that you are indeed logged in.

Now let's enter some new credentials:

User: alice
Password: alice

And now see what happens