Authenticate with MobilePhoneNumber.

[mikeandersun]

Authenticate with MobilePhoneNumber is a nice feature to have. What's your thought?

[brockallen]

and password, i assume?

[mikeandersun]

I thinks is requires a cellphone centric registration with providing a MobilePhoneNumber and a password, then we can have authenticate with MobilePhoneNumber and password. This flow is better for Mobile base applications.Of course we have a email(username) centric registration and authentication flow at general ( better for web applications).
thanks to attentions.

[mikeandersun]

Just think user haven't any email. Is there signup and sign in solutions?
Best,

[brockallen]

It's a big change. I don't have the cycles right now to think about the ramifications.

[mikeandersun]

I thinks we need another methods for signup and signing with mobile, so we separate two flow (mobile and Email).
Then we can have 3 method for authentication: with username, with email and with mobile number.
You override the user name with email if EMAILISUSERNAME is true. In my opinion we not need this option and it is better that we authentication be on : username+ password, mobilenumber+password, email+password.
If you agree the approach give me some advises. I can contribute with you to have it.
I think this flexibility useful for business that have native App and web interface on own business.
Best,

[girtsl]

First of all, thanks for making this and also providing the source!
I have the same requirement - login using mobile phone number - for a project I'm working on.

I thought using the phone number as username would be sufficient until a proper solution is in place but the built in validation requires the username to contain at least one letter. Unfortunately there doesn't seem to be an easy way to override it. The configuration only allows to add new validations.
Is there a good (security related) reason for this validation rule - 'UsernameOnlyContainsLettersAndDigits'?

Alternatively could you please implement means to easily override built-in functionality (e.g. validation) without ending up re-creating the whole thing sans some features? I believe this was one of the reasons why this project came into existence :)

[brockallen]

There are two issues here: 1) mobile phone for username, and 2) username validation.

For (1) I mentioned above that it's an interesting idea, but I don't have the time right now. If someone feels they're up to that challenge, go ahead and we can discuss and then do a PR.

For (2), I didn't want usernames like "$%". I don't see much benefit in usernames like that and there are ways that might be used against a novice website developer. If there's something specific that you need allow for username, please open a new issue (I don't want the two threads to get polluted with mixed topics).

[brockallen]

So now that usernames can contain all digits, does this allow for MR to be used in an app where the username is the mobile phone? I could see a custom app building a AccountCreatedEvent event handler to then call ChangeMobilePhoneRequest to verify it.

[girtsl]

Calling ChangeMobilePhoneRequest in a custom AccountCreatedEvent will result in the user not being able to verify the email address as the VerificationKey gets overridden. If the users only need to authenticate using MobilePhoneNumber and the email verification email is not sent at all, then I guess it's fine but to verify both email and mobile phone, the ChangeMobilePhoneRequest should be called after the user has verified the email address.

Judging from the OP's last post, they would want to authenticate with either username+password, email+password or mobile+password. Don't see much point of the username being different from email or mobile phone, but maybe the OP has some specific requirements.

[brockallen]

Given that I don't foresee making this change, I'll close this issue. Thanks.