I have a MVC application configured to use ASP.NET Identity. More specifically, I've configured the application to use OAuth. Everything is working perfectly as-is. I can pass a username/password to my token endpoint and receive a token in return. I have refresh tokens configured, I stripping default claims and adding my own, authorization attributes implemented, etc.
I have a new requirement to generate a token based on non- username / password combination. The combination is similar to username/password at a high level: user passes two pieces of about themselves and, if true, a JWT is returned (just like with username/password).
Let's say I have a Person and AspNetUser table. Some Person records will be AspNetUsers, but not all of them. The ones that are not would like to authenticate using the method I described above. I guess, technically they can be AspNetUser records but with no configured password and possibly email.
I'm having difficulty coming up with a proper solution to the problem. Do I create a custom endpoint to take this alternative auth credentials and return a bearer token? If so, any advice on the proper way to leverage .NET Identity to return the token? Do I modify my custom OAuthAuthorizationServerProvider to account for this alternate method? If so, any advice on creating a "fake" (i.e. user does not exist in the AspNet* tables) identity to be return to the client?
As always, any help is appreciated.