Hey @Grant-Hoover! I’m chiming in with an alternative approach.
What I would do is simply create the session for the user after the signup, without doing the resource owner password grant token exchange. E.g.:
[HttpPost]
public async Task<IActionResult> SignUp(NewUserData user)
{
// this is your process that calls Management API v2
// to create the user and any other necessary tasks
var createUserResult = await CreateUser(user);
// Everything's good, now go ahead and sign the user in
var claims = new List<Claim>
{
new Claim(ClaimTypes.Email, user.Email),
new Claim(ClaimTypes.Name, user.Name),
new Claim(ClaimTypes.NameIdentifier, user.UserId),
[...] // whatever claim you have either from the user form
// or from the response from the Management API v2
};
var claimsIdentity = new ClaimsIdentity(
claims, CookieAuthenticationDefaults.AuthenticationScheme);
await HttpContext.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new ClaimsPrincipal(claimsIdentity));
return this.Redirect("/");
}
WDYT?