asp.net core - IdentityServer login without web interaction

Question

I'm currently writing a Xamarin application and I wish to login to my app, this one use IdentityServer 4 for auth.

I wish to avoid any "web" interface for the email/password login, but I'm not sure how to do this (If possible).

So, for now I have a controller with a method like this:

public void LoginAsync(string cliendId, string clientSecret, string email, string password)
{
    // Check the clientId & secrets match
    ....

    // Sign in the user
    var result = await SignInManager.PasswordSignInAsync(email, password, false, true);

    // How to return a token to the Xamarin client here?
}

So, I have 2 questions please:

• first I directly check the clientId & secret, is it the way to go? Or should I get a token, then protect this API, and then access it with the token.
• how can I generate a new token for the Xamarin client to access the other APIs?

Thanks

Answer 1

Using OpenID Connect you are supposed to open a new web interface and let the user login through that page. Creating your own login/password form is a bad for many reasons. One is that the user does not now where his credentials will end up. Your application should never touch or see the users username/password.

If there is no user involved, then you can look at using the client credentials flow that is supported by IdentityServer.