Most of the logic related to Authentication happens from LoginHandler.vb.
This article lists and tries to explain the individual steps in LoginHandler.
Also, see the article with the overview of the login process.

A. Preparation

A1. Get Authentication State

Tries to get Users Authentication State from Session State Server. If it can not retrieve any State, then a new AuthenticationState will be created and put on Session State Server.
Authentication.AuthenticationState keeps:
  • Parameters
  • MetaInfo
  • AuthenticationSteps
  • CurrentStep
  • CurrentAlternative
  • CurrentFallback

A2. Process parameters

Parameters in Query String to be processed. If at least one of AuthenticationState.GetNextParameters():
  • Have allowInQuery="true"
  • AND A value (not empty) for the parameter are specified in the Query String
  • AND AuthenticationState.SupplyParameter(vParameter, vParameterValue) returns true (the parameter is accepted)

A3. Determine if it should Process Steps and Authenticate (boolean variable)

Process Steps and Authenticate = true If:
  • Alt 1: This is a POST request
  • Alt 2: One of the Alternative Authentication Steps are activated by Query parameter. Requires:
    • The Alternative step must have allowInQuery="true"
    • AND a query parameter with the same name as the Step (spaces replaced with underscores) was passed
    • AND the Alternative Step must have AutoProcess="true"
  • Alt 3: Two factor:
    • Query String specifies RequireTwoFactor=1
    • AND AuthenticationState.IsVerified
    • AND AuthenticationState.RequireTwoFactor() = true. -Note, after this .isVerified is most likely false because new Multifactor steps was added.
  • Alt 4: Parameters:
    • At least one parameter was supplied and accepted
    • AND All Current Parameters have been supplied

B. Processing

B 1. Process Steps and authenticate = true (see A3.)

  • Handle JSON / Form Parameters
  • If handle parameters was successful, then try to authenticate
  • Write response:
    • If accepts JSON, then write response back with "success" = true/false
    • If not accepts JSON then:
      • If success, then redirect (if ReturnUrl Parameter specified) -otherwise write Login Page
      • If not success -write Login Page (HTML)
    • If any exceptions happened, Reset Authentication state and write response (JSON or HTML)

B 2. Process Steps and authenticate = false (see A3.)

  • If Authentication is ok, AuthenticationState.IsVerified and ReturnUrl specified then:
    • Redirect to ReturnUrl
  • Else
    • If Accepts JSON then write back Authentication State as JSON response
    • Else, write Login Page (HTML)

Related articles

Placeholder "LocalizeWeb2016" failed