Always enter credentials without “prompt=login” in IdentityServer4

Question

This is similar to IdentityServer4 Force User to re-enter credentials, but the solution there says to use prompt=login query string in the /authorize U

Answer 1

An option could be to stick to prompt=login for all requests or based on some client setting, or a http header.

It is easy to look into the default request validator and implement your customization like the following:

public class YourCustomAuthorizeRequestValidator:ICustomAuthorizeRequestValidator
{
  public Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
  {
    var request = context.Result.ValidatedRequest;    
    if (string.IsNullOrWhiteSpace(request.Raw["prompted"]))
    {
      request.Raw.Add("prompted", "true");
      request.PromptMode = OidcConstants.PromptModes.Login;
    }
    else if (request.Subject.IsAuthenticated())
    {
      request.PromptMode = OidcConstants.PromptModes.None;
    }
    return Task.CompletedTask;
  }
}

and then in your Identityserver startup:

services.AddIdentityServer()
  .AddCustomAuthorizeRequestValidator<YourCustomAuthorizeRequestValidator>();

Answer 2

You should be able to achieve desired behaviour by overriding the default cookie scheme that AddIdentityServer() registers internally:

services.AddIdentityServer()...

services.AddAuthentication("CustomScheme")
    .AddCookie("CustomScheme", options =>
    {
        options.ExpireTimeSpan = ...;
    });

Make sure you add the override scheme after AddIdentityServer(), the sequence here is important due to the way ASP.Net Core DI works.