We're using IdentityServer to authenticate users on our website.
When users have registered we send out an activation mail, with a key that's generated using GenerateEmailConfirmationTokenAsync
The activation works, but we would like to have the users logged in after activation.
Is it possible - without saving sensitive data outside the IdentityServer - to login a user after activation?
Yes; There is an OWIN extension method called IssueLoginCookie (https://identityserver.github.io/Documentation/docsv2/advanced/owin.html) that you can use to issue the IdentityServer login cookie. The only requirement is that this MVC controller/action must be running in the same pipeline that's running IdentityServer (since IdentityServer is the one issuing the cookie). You'd then need to know the URL of the client app to redirect the user to.