I'm looking into IdentityServer4 as a possible solution for managing users and API access tokens. One thing that is not clear is if it's possible to provide authentication through API calls or are we forced to use a login page hosted by IdentityServer4?
With respect to user experience in mobile apps, it's always nicer to provide a simple login screen within the app, as opposed to opening a web page that handles the login process.
Are we forced to use a login / registration page hosted by IdentityServer4 or can it be handled through API calls?
Login should occur on the IdentityServer website for the simple reason that a client can't be trusted with the user credentials.
When the user logs in on the IdentityServer website, the client remains ignorant of the credentials. The user is either authenticated or the request is rejected.
Please note that an embedded browser for a 'good user experience' is also not recommended, as this will require the user to enter the credentials in an unsafe environment (credentials could be captured), even when the IdentityServer website is shown.
For user experience you can use the client_id and acr_values for additional parameters to customize the login page on IdentityServer.