PasswordSignInAsync with duplicate emails Sequence contains more than one element exception

[dotnetshadow]

Describe the bug

I have an asp.net core 3.0 app and I wanted to be able to sign in using a username instead of an email address. Because I'm importing a legacy system there could be a chance that multiple usernames share the same email address.

Using the default identity razor scaffold when looking at the login code:
var result = await _signInManager.PasswordSignInAsync(username, Input.Password, Input.RememberMe, lockoutOnFailure: true);

If I enter a username and incorrect password I get the following error:
InvalidOperationException: Sequence contains more than one element

It seems I can't login anymore with users that share duplicate email addresses?

To Reproduce

Steps to reproduce the behavior:

1. Create an asp.net core 3.0 app with identity
2. Scaffold the identity
3. Add a couple of users with different usernames belonging to the same email address
4. Try to login and enter the wrong password

Expected behavior

It should return a failed result instead of Sequence contains more than one element

Screenshots

Additional context

InvalidOperationException: Sequence contains more than one element

    System.Linq.ThrowHelper.ThrowMoreThanOneElementException()
    System.Linq.Enumerable.SingleOrDefault<TSource>(IEnumerable<TSource> source)
    Microsoft.EntityFrameworkCore.Query.Internal.QueryCompiler.Execute<TResult>(Expression query)
    Microsoft.EntityFrameworkCore.Query.Internal.EntityQueryProvider.Execute<TResult>(Expression expression)
    System.Linq.Queryable.SingleOrDefault<TSource>(IQueryable<TSource> source)
    Microsoft.AspNetCore.Identity.EntityFrameworkCore.UserStore<TUser, TRole, TContext, TKey, TUserClaim, TUserRole, TUserLogin, TUserToken, TRoleClaim>.FindByEmailAsync(string normalizedEmail, CancellationToken cancellationToken)
    Microsoft.AspNetCore.Identity.UserManager<TUser>.FindByEmailAsync(string email)
    Microsoft.AspNetCore.Identity.UserValidator<TUser>.ValidateEmail(UserManager<TUser> manager, TUser user, List<IdentityError> errors)
    Microsoft.AspNetCore.Identity.UserValidator<TUser>.ValidateAsync(UserManager<TUser> manager, TUser user)
    Microsoft.AspNetCore.Identity.UserManager<TUser>.ValidateUserAsync(TUser user)
    Microsoft.AspNetCore.Identity.UserManager<TUser>.UpdateUserAsync(TUser user)
    Microsoft.AspNetCore.Identity.UserManager<TUser>.AccessFailedAsync(TUser user)
    Microsoft.AspNetCore.Identity.SignInManager<TUser>.CheckPasswordSignInAsync(TUser user, string password, bool lockoutOnFailure)
    Microsoft.AspNetCore.Identity.SignInManager<TUser>.PasswordSignInAsync(TUser user, string password, bool isPersistent, bool lockoutOnFailure)
    Foo.Web.Areas.Identity.Pages.Account.LoginModel.OnPostAsync(string returnUrl) in Login.cshtml.cs

                    var result = await _signInManager.PasswordSignInAsync(user, Input.Password, Input.RememberMe, lockoutOnFailure: true);

Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.ExecutorFactory+GenericTaskHandlerMethod.Convert<T>(object taskAsObject)
Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.ExecutorFactory+GenericTaskHandlerMethod.Execute(object receiver, object[] arguments)
Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeHandlerMethodAsync()
Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeNextPageFilterAsync()
Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Rethrow(PageHandlerExecutedContext context)
Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Next(ref State next, ref Scope scope, ref object state, ref bool isCompleted)
Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeInnerFilterAsync()

asp.net core 3.0
#4539 (comment)

[dotnetshadow]

Found the issue,
options.User.RequireUniqueEmail = true;
It seems this property is now being used when trying to signin.
I was upgrading from asp.net core 2.x

[dotnetshadow]

I'm reopening this to work out if this was a breaking change,
Also if the username and password are being supplied, why does it throw a sequence exception instead of a fail?

[blowdart]

The error is wrong certainly. I'll get that looked at

[HaoK]

That's always been the error if RequireUniqueEmail = true and there are duplicate emails. We can add an explicit check for duplicate emails but that would be an additional check for the happy case just to improve the error message, that's the trade off

[dotnetshadow]

@HaoK thanks for looking into this

I'm a little confused, why am i able to sign in if i put the right password, but if i enter the wrong password it causes the exception? Shouldn't it be consistent? Either I always get an error or I don't?

Furthermore if im passing the user object into thIs method, shouldn't it know which exact user im talking about?

[HaoK]

Its failing doing an email lookup when doing validation on the user, the jist of it is, your database is in an invalid state if you have duplicate emails when requireuniqueemails is true, you need to set that flag to false in that situation

[dotnetshadow]

@HaoK cheers thanks for the explanation and clearing that up.

In what version of asp.net core was this error introduced? I have been updating my project from dnx days to core so I'm interested to know if this is an asp.net core 3.0 or 2.x issue?

I guess I would need to clean out my duplicates, or if I want to keep my duplicates and prevent further duplicate emails from being created, I would have to manually handle this myself?

[HaoK]

Yeah you need to clean out the duplicates or turn the require unique emails flag to false, this behavior is by design basically

[HaoK]

Its not really an error, its just a side effect of some of the linq we do with EF, we use single or default since the expectation is that emails are unique, hence the Sequence contains more than one error.