You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 20, 2018. It is now read-only.
I'm developing an ASP.NET MVC app using ASP.Net Identity 2.2.1 in Visual Studio 2017. The app is for internal use only, does not use 2FA or password recovery and will have accounts managed by the user's manager.
In light of this I changed the login page to use the UserName field instead of the Email address field to identify the user. When I create users in dbo.AspNetUsers I populated the Email field with the same value as the UserName field e.g. JoeB. Doing so does not affect the login process but when it comes to triggering Automatic Lockouts for failed login attempts, this feature fails to trigger.
The following email addresses won't trigger a Lockout:
NULL
JoeB
JoeB@
Anything of the form alphanumberic@alphanumberic seems to be OK (e.g. JoeB@example).
Taking a look at the ASP.Net identity source code I think this bug is related to the last method in this call chain:
SignInManager.CheckPasswordSignInAsync()
UserManager.AccessFailedAsync(user)
UserManager.UpdateUserAsync()
UserManager.UpdateNormalizedEmailAsync(user)
Since the email address doesn't exist or is invalid (according to some internal check?), the UpdateNormalizedEmailAsync(user) fails in some way causing the following record store.IncrementAccessFailedCountAsync(user, CancellationToken) to not be committed to the database.
Running SQL Profiler confirms that the SQL to update dbo.AspNetUsers.AccessFailedCount is never sent to the database if the email address is invalid.
This behavior may be by design (for reasons not obvious to me) but I've wasted many hours wrestling with this issue so I though I would log it here in case anyone else gets tripped up by it.
P.S. The ApplicationManager.SupportsUserEmail is read-only so I can't use this to signal that Email address is not relevant.
The text was updated successfully, but these errors were encountered:
Closing as this isn't an issue with Core, we won't be changing something like this with older versions of identity templates, but its possible we will revisit this for future Core versions of identity in the linked #1721
I'm developing an ASP.NET MVC app using ASP.Net Identity 2.2.1 in Visual Studio 2017. The app is for internal use only, does not use 2FA or password recovery and will have accounts managed by the user's manager.
In light of this I changed the login page to use the UserName field instead of the Email address field to identify the user. When I create users in dbo.AspNetUsers I populated the Email field with the same value as the UserName field e.g. JoeB. Doing so does not affect the login process but when it comes to triggering Automatic Lockouts for failed login attempts, this feature fails to trigger.
The following email addresses won't trigger a Lockout:
NULL
JoeB
JoeB@
Anything of the form alphanumberic@alphanumberic seems to be OK (e.g. JoeB@example).
Taking a look at the ASP.Net identity source code I think this bug is related to the last method in this call chain:
Since the email address doesn't exist or is invalid (according to some internal check?), the UpdateNormalizedEmailAsync(user) fails in some way causing the following record store.IncrementAccessFailedCountAsync(user, CancellationToken) to not be committed to the database.
Running SQL Profiler confirms that the SQL to update dbo.AspNetUsers.AccessFailedCount is never sent to the database if the email address is invalid.
This behavior may be by design (for reasons not obvious to me) but I've wasted many hours wrestling with this issue so I though I would log it here in case anyone else gets tripped up by it.
P.S. The ApplicationManager.SupportsUserEmail is read-only so I can't use this to signal that Email address is not relevant.
The text was updated successfully, but these errors were encountered: