Feature Request: Hide or Disable Specific ASP.NET Core Identity Endpoints and Return Bearer Tokens via SignInManager

[KMastalerz]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

I've been searching for documentation and solutions, but I couldn't find anything from Microsoft regarding hiding or disabling specific ASP.NET Core Identity endpoints. My use case is as follows:

Hide Default Identity Endpoints: I would like to use my own custom registration process and prevent exposure of the default Identity registration endpoint. While I know that I can override or replace these endpoints by creating extensions, I’m wondering if there is a built-in way to disable or hide specific Identity endpoints without manual intervention.

SignInManager and Bearer Token Support: I am also considering creating a custom login flow using SignInManager. However, I have noticed that SignInManager does not support generating and returning bearer tokens. It requires manual token generation and additional configuration for authentication, which can be cumbersome and this is tomething I wanted to avoid.

It would be useful if SignInManager could optionally return bearer tokens directly upon successful login, avoiding the need for developers to handle token generation and authentication configuration separately. This would simplify development in cases where we want to use ASP.NET Core Identity but prefer not to handle token generation ourselves. But also would not limit us, to create out own Tokens when we do not want to.

Describe the solution you'd like

Provide a way to hide or disable specific ASP.NET Core Identity endpoints, such as registration, login, etc., either through configuration or built-in mechanisms.

Add support for returning bearer tokens directly via SignInManager without requiring manual token generation and configuration.

Additional context

I want to Login with phone/email/login but also other thru other contexts, like customed ID, although this one is for desktop app. This is due to how original application had worked.

Im creating my own Registration endpoint, since I want more details to be required on registration. Including my own User table fields.

[MackinnonBuck]

The ability to map identity endpoints separately is tracked by #55792.

SignInManager does support generating Bearer tokens - see https://learn.microsoft.com/aspnet/core/security/authentication/identity-api-authorization#use-token-based-authentication.

Does this meet your needs? If not, could you elaborate on what additional requirements you have?

[KMastalerz]

It's not really what i need.

Yes i can map them separately, and i do that in form of extension, althouth i find it not clean at all.

But the biggest issue is AccessTokenResponse, what id like to be able to do, is to return CustomAccessTokenResponse, so my predefined object, which contains more infromation than standard AccessTokenResponse.

Right now it's possible, but i would have to also handle generation and Authentication of tokens myself. But id like to use signInManager to do so.

So for example I want to implement my own login, as login by email which is name is confusing and not sufficient.

Id like to do somthing in lines of:

var user = await usermanager.findbyemailasync(login.email) ??
	await usermanager.findbynameasync(login.email) ?? 
	throw new notfoundexception(nameof(user), login.email);

var result = await signInManager.PasswordSignInAsync(user, login.Password, isPersistent, lockoutOnFailure: true);

The other issue even if this would be resolver is fact that there are other entities that allow login in my app. And support for this has to maintained but i styll can narrow down user so PasswordSignInAsync would suffice.

Last but not least I'd like to return a different object from login and not have to make two separete HTTP Requests for them.

For instance, this is current response format:

{
  "tokenType": "string",
  "accessToken": "string",
  "expiresIn": 0, 
  "refreshToken": "string"
}

Id like to return for isntance:

{
  "tokenType": "string",
  "accessToken": "string",
  "expiresIn": 0, 
  "refreshToken": "string",
  "encryptionKey": "string", // needed to encrypt cookie/session and local storage
  "userRole": "string" // main role for the user which is used for routes
}

The problem is that signInManager at PasswordSignInAsync is laready producing response. Id like to mitigate that behaviour and return tokens instead to result from calling the PasswordSignInAsync. Which would allow me to return custome response. But, in addition to that I would love to also maintain functionality, where I do not have to configure builder.Services.AddAuthentication();.