I don't understand how to have some endpoints that create "steps" in the flow. I would want to have the following steps
1. Enter identifier (email, oidc connection)
2. Enter password or login through alternative methods
3. Enter 2fa code if configured

I'd say 2 API endpoints

1 that takes email and password, another that takes MFA token

What about the oidc connections

Ah, right, that'd probably be 3rd

so

/auth/login/email
/auth/login/oidc
/auth/login/mfa

Something like that, yeah

Hmm okay

Now if the user requires 2fa, should I give them a session but have a property on that session indicating if they've completed 2fa?

Not sure about that. I use SignInManager from Identity, and it seems to handle it for me lol

That does simplify the flow a lot, I wouldn't have to store flow state on the server

var result = await _signInManager.PasswordSignInAsync(Input.Name, Input.Password, Input.RememberMe, true);

if (result.RequiresTwoFactor)
{
    // requires MFA
}

and if MFA is required,

var result = await _signInManager.TwoFactorAuthenticatorSignInAsync(authenticatorCode, rememberMe, Input.RememberMachine);

is how I have it set up

Not sure what it does behind the scenes, but probably does store something temporarily in the session or something

yeah I assume this is mvc?

Razor Pages, but it should be the same for MVC or an API

I have an SPA

SignInManager is UI-agnostic

hmm okay

I'll go with the session route

Thanks for your time