I have an MVC 5 app that uses OWIN middleware for Identity Framework. Right now it's working correctly and sends unauthorized users to the Account/Login page. The app uses local login (not facebook/google etc).
I need to change it so that it opens a modal popup asking for username/password instead of redirecting to a page. How would I do that?
Update: Thanks @SteveGreene and @chris. Let me clarify a little bit more. Yes I know I can easily use a modal popup when the user explicitly wants to login. What I want is when they click a link to a controller/action that requires authorization, instead of the app redirecting them to login page (or the controller page), it should show a popup. Once they login the page should then be redirected to the controller/action they requested. If I were to take Chris's suggestion and check within the controller, I would not be able to use [Authorize] attribute correct? Is there a better way then just checking for authentication manually in all the actions?
Really, this is not any different than just a standard login form. The only real difference is that the form is within a modal popup hidden initially, part of the layout or otherwise on every page, and any login links you have will merely activate this popup rather than navigate to a new URL. After login, you're going to still want to do a redirect even if it's back to the same page, just so MVC can actually fill in the user principal in the HttpContext.
However, you're still going to need a standard login form for redirecting to when the user navigates to a page requiring authorization. First, you can't dynamically set the URL MVC will navigate unauthorized users to. It's set in the web.config and that's all you get. Second, even if you could, you can't simultaneously protect a page and display it, even if you intend to have a modal login form displayed on top of it. You would have to allow anonymous access to all pages, at which point you could determine if the user is authenticated or not on page and show the login form modal if necessary. However, at this point, a clever user could just dig into the developer tools of their browser and just remove the modal and proceed to work with the page.
Long and short, you can have a modal login form for when the user explicitly chooses to login, but if they hit a page requiring authorization, you'll still need a standard form to redirect them to.