I am currently working on an application that utilizes ASP.NET Core Identity and Identity Server, and I am trying to implement a login flow with second factor authentication.
From the examples provided by Microsoft, it seems that once the user logs in with their email and password, the system calls the SignIn method, sets the cookies, and then redirects the user to the Multi-Factor Authentication (MFA) page. However, this flow doesn’t seem to be feasible with an Identity Provider, as the user would technically be logged in before entering the second factor, especially if a client is attempting an OpenID/OAuth flow.
In the scenario where a user needs to log in with a second factor, is there a mechanism that can protect the MFA page and ensure that the user isn’t fully logged in yet? If I were to implement this manually, would the safest approach be to use non-authentication cookies or TempData?
I hope my question is clear. This seems like a fairly common situation, but it doesn’t appear to be directly handled by the framework. Any insights or suggestions would be greatly appreciated.